jekyll-assets icon indicating copy to clipboard operation
jekyll-assets copied to clipboard

Published 20 hours ago verified publisher icon envygeeks

Release please

Open schneems opened this issue 4 years ago • 5 comments

Hello,

First, thanks a ton for this gem I use it on my blog and it's great. Second, I see there's quite a bit of development on main that isn't on rubygems (last gem is 2018). Can yall consider cutting a release? Thank you 🙏

schneems avatar May 18 '21 14:05 schneems

We're using jekyll-assets to increase the performance of our static site. Thank you for this awesome gem. Currently, we've added jekyll-asset with the corresponding git-URL to our Gemfile. However, this causes various problems with GitHub Action and security policies. A new release to Rubygems would be highly appreciated. Let me know if we can support you with maintaining this project!

itrich avatar May 26 '22 08:05 itrich

+1 to this! I was trying to figure out why Sprockets 4 wasn't working with my site since it looked like it had been fixed here a couple years ago and was surprised find out it was because the latest version on Ruby Gems was really old. A release would be appreciated! 🙏

tcdowney avatar Jun 20 '22 16:06 tcdowney

Bump - I just ran into the sprockets 4 issue due to the new bundler 2.4 release which brings in a new resolver. My app is now resolving to jekyll-assets 3.0.12 + sprockets 4 which is causing issues that have been fixed, but not released.

Fryguy avatar Jan 03 '23 19:01 Fryguy

Until this project releases a new gem, I am using this unstable mechanism to get the gem from git HEAD:

gem 'jekyll-assets', git: 'https://github.com/envygeeks/jekyll-assets'

An actual release would be so much better!

A new release would mean that bundle audit on Jekyll projects would pass. Using jekyll-assets v3.0.12 results in the audit failing with multiple CVEs:

Name: rack
Version: 1.6.13
CVE: CVE-2020-8161
GHSA: GHSA-5f9h-9pjv-v6j7
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Title: Directory traversal in Rack::Directory app bundled with Rack
Solution: upgrade to '~> 2.1.3', '>= 2.2.0'

Name: rack
Version: 1.6.13
CVE: CVE-2020-8184
GHSA: GHSA-j6w9-fv6q-3q52
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Solution: upgrade to '~> 2.1.4', '>= 2.2.3'

Name: rack
Version: 1.6.13
CVE: CVE-2022-30122
GHSA: GHSA-hxqx-xwvh-44m2
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk
Title: Denial of Service Vulnerability in Rack Multipart Parsing
Solution: upgrade to '~> 2.0.9, >= 2.0.9.1', '~> 2.1.4, >= 2.1.4.1', '>= 2.2.3.1'

Name: rack
Version: 1.6.13
CVE: CVE-2022-30123
GHSA: GHSA-wq4h-7r42-5hrr
Criticality: Critical
URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
Title: Possible shell escape sequence injection vulnerability in Rack
Solution: upgrade to '~> 2.0.9, >= 2.0.9.1', '~> 2.1.4, >= 2.1.4.1', '>= 2.2.3.1'

Name: rack
Version: 1.6.13
CVE: CVE-2022-44570
GHSA: GHSA-65f5-mfpf-vfhj
Criticality: Unknown
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Title: Denial of service via header parsing in Rack
Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.2', '>= 3.0.4.1'

Name: rack
Version: 1.6.13
CVE: CVE-2022-44571
GHSA: GHSA-93pm-5p5f-3ghx
Criticality: Unknown
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Title: Denial of Service Vulnerability in Rack Content-Disposition parsing
Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.1', '>= 3.0.4.1'

Name: rack
Version: 1.6.13
CVE: CVE-2022-44572
GHSA: GHSA-rqv2-275x-2jq5
Criticality: Unknown
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Title: Denial of service via multipart parsing in Rack
Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.1', '>= 3.0.4.1'

Name: sinatra
Version: 1.4.8
CVE: CVE-2022-29970
GHSA: GHSA-qp49-3pvw-x4m5
Criticality: High
URL: https://github.com/sinatra/sinatra/pull/1683
Title: sinatra does not validate expanded path matches
Solution: upgrade to '>= 2.2.0'

Name: sinatra
Version: 1.4.8
CVE: CVE-2022-45442
GHSA: GHSA-2x8x-jmrp-phxw
Criticality: High
URL: https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw
Title: Sinatra vulnerable to Reflected File Download attack
Solution: upgrade to '~> 2.2.3', '>= 3.0.4'

mslinn avatar Feb 15 '23 14:02 mslinn

Looks like circleci took over this project. You can use the forked project in your Gemfile like this:

  gem 'jekyll-assets', git: 'https://github.com/circleci/jekyll-assets' # Took over from envygeeks

mslinn avatar Mar 05 '24 19:03 mslinn