Skip to content

Commit

Permalink
deps: relaxed and more precise dependency versions, to support more t…
Browse files Browse the repository at this point in the history
…arget environments

Allowing a broader range of versions for dependency gems will let a given ronn-ng version work in more environments, particularly distros that have fixed versions of the dependency gems in their packages, and systems running older Ruby versions. Added comments to the gemspec to explain why the version restrictions are there. I left them all open-ended on the upper bound because I'm not aware of any dep versions that break things, and I'll just assume back-compatibility until I know otherwise for specific gems.

The nokogiri minimum version is 1.14.3, because that's required for the behavior we want for HTML tag names with ":" in them. See #102.

I updated Gemfile.lock instead of removing it, but I no longer know if that's significant or good in deployment. Right now I'm mostly considering it an indication of the exact versions I tested it most heavily with. I don't expect downstream packagers to use or respect Gemfile.lock.
  • Loading branch information
apjanke committed Jan 4, 2024
1 parent 1ee76ff commit b4deb42
Show file tree
Hide file tree
Showing 4 changed files with 56 additions and 30 deletions.
1 change: 0 additions & 1 deletion .ruby-version

This file was deleted.

34 changes: 18 additions & 16 deletions Gemfile.lock
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,16 @@ PATH
remote: .
specs:
ronn-ng (0.10.1.pre4)
kramdown (~> 2.4)
kramdown-parser-gfm (~> 1.1)
mustache (~> 1.1)
nokogiri (~> 1.15)
kramdown (>= 2.1)
kramdown-parser-gfm (>= 1.0.1)
mustache (>= 0.7.0)
nokogiri (>= 1.14.3)

GEM
remote: https://rubygems.org/
specs:
ast (2.4.2)
base64 (0.2.0)
json (2.7.1)
kramdown (2.4.0)
rexml
Expand All @@ -19,7 +20,7 @@ GEM
language_server-protocol (3.17.0.3)
mini_portile2 (2.8.5)
mustache (1.1.1)
mustermann (2.0.2)
mustermann (3.0.0)
ruby2_keywords (~> 0.0.1)
nokogiri (1.15.5)
mini_portile2 (~> 2.8.2)
Expand All @@ -31,8 +32,9 @@ GEM
power_assert (2.0.3)
racc (1.7.3)
rack (2.2.8)
rack-protection (2.2.4)
rack
rack-protection (3.2.0)
base64 (>= 0.1.0)
rack (~> 2.2, >= 2.2.4)
rainbow (3.1.1)
rake (13.1.0)
regexp_parser (2.8.3)
Expand All @@ -52,10 +54,10 @@ GEM
parser (>= 3.2.1.0)
ruby-progressbar (1.13.0)
ruby2_keywords (0.0.5)
sinatra (2.2.4)
mustermann (~> 2.0)
rack (~> 2.2)
rack-protection (= 2.2.4)
sinatra (3.2.0)
mustermann (~> 3.0)
rack (~> 2.2, >= 2.2.4)
rack-protection (= 3.2.0)
tilt (~> 2.0)
test-unit (3.6.1)
power_assert
Expand All @@ -66,12 +68,12 @@ PLATFORMS
ruby

DEPENDENCIES
rack (~> 2.2, >= 2.2.3)
rake (~> 13.0, >= 13.0.3)
rack (>= 2.2.3)
rake (>= 13.0.3)
ronn-ng!
rubocop (~> 1.57)
sinatra (~> 2.2)
test-unit (~> 3.6)
rubocop (>= 1.25.1)
sinatra (>= 2.2.3)
test-unit (>= 3.2.7)

BUNDLED WITH
2.1.4
21 changes: 21 additions & 0 deletions doc-project/Dependency Notes.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Ronn-NG Dependency Notes

Ronn-NG tries to allow a wide range of dependency versions in its gemspec, and be strict and even specific about its gem dependencies in deployment and testing scenarios. This will hopefully let users install it as a gem in a wide variety of environments, and let distro packagers fit it in with different fixed versions of packaged dependencies, but be correct-er in testing and deployment in app or package form.

## Ruby version

I only develop and test on Ruby 2.6 and newer, and those are the only versions supported. Will probably be requiring >= 2.7 soon as of 2023.

Chose Ruby 2.6 as the minimum because those are the ones that come with bundler included, and I don't want to bother installing it there. (The default `gem install bundler` doesn't work; a version-specific `gem install bundler -v 2.3.26` might, but use of it tends to break due to bugs in early gem and bundler versions, and I don't want to deal with that.)

I mostly test on Ruby 2.7 or 3.x, because that's waht to seems to be in common use and distro shipping in 2023.

## Gem versions

I'm currently keeping the gem dependency versions in the gemspec as loose as I can, while everything still works (tests pass and I don't notice anything breaking), and keeping the min version high enough to pick up security fixes that I know about (mostly through Dependabot on GitHub). Specific reasons for those versions are noted in comments in the gemspec.

If you need to install it in an environment that only supplies older gems, edit the gemspec to relax the minimum version, and maybe it'll work? But it will be unsupported.

### nokogiri

We require nokogiri >= [1.14.3](https://github.com/sparklemotion/nokogiri/releases/tag/v1.14.3) because earlier versions have undesirable handling of tag names with ":" characters in them (which look like namespaces). I don't know if that's a bug or not; I assume so because it's a material behavior change in a patch version increment. That nokogiri version bumped its vendored libxml2 from 2.10.3 to 2.10.4. See [issue #102 "libxml 2.10+ compatibility for dot. and foo:colon angle-bracket syntax"](https://github.com/apjanke/ronn-ng/issues/102). Earlier libxml2 versions also have security vulnerabilities; that's why the [nokogiri 1.14.3 release notes](https://github.com/sparklemotion/nokogiri/releases/tag/v1.14.3) say they upgraded.
30 changes: 17 additions & 13 deletions ronn-ng.gemspec
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
Gem::Specification.new do |s|
s.name = 'ronn-ng'
s.version = '0.10.1.pre4'
# As of 2023-09, ronn-ng targets and is tested on Ruby 2.7 for deployment. May well
# be compatible with earlier versions, but that's not really supported, and users can
# modify this locally if they want to try under older Rubies.
s.required_ruby_version = '>= 2.7'
# As of 2023-09, ronn-ng targets and is tested on Ruby 2.7 for deployment. It'll mostly
# work on lower versions, but in effect requires >= 2.7 because it needs nokogiri
# >= 1.14.3 for correct tag name handling, and that nokogiri requires Ruby 2.7.
s.required_ruby_version = '>= 2.4'

s.summary = 'Builds man pages from Markdown'
s.description = 'Ronn-NG builds manuals in Unix man page and HTML format from Markdown. Ronn-NG is a modern, maintained fork of the original Ronn.'
Expand Down Expand Up @@ -61,15 +61,19 @@ Gem::Specification.new do |s|
s.test_files = s.files.select { |path| path =~ /^test\/.*_test.rb/ }

s.extra_rdoc_files = %w[LICENSE.txt AUTHORS]
s.add_dependency 'kramdown', '~> 2.4'
s.add_dependency 'kramdown-parser-gfm', '~> 1.1'
s.add_dependency 'mustache', '~> 1.1'
s.add_dependency 'nokogiri', '~> 1.15'
s.add_development_dependency 'rack', '~> 2.2', '>= 2.2.3'
s.add_development_dependency 'rake', '~> 13.0', '>= 13.0.3'
s.add_development_dependency 'rubocop', '~> 1.57'
s.add_development_dependency 'sinatra', '~> 2.2'
s.add_development_dependency 'test-unit', '~> 3.6'
s.add_dependency 'kramdown', '>= 2.1'
s.add_dependency 'kramdown-parser-gfm', '>= 1.0.1'
s.add_dependency 'mustache', '>= 0.7.0'
# nokogiri <= 1.14.2 mishandle tag names with ":" in them (see #102)
s.add_dependency 'nokogiri', '>= 1.14.3'
# rack < 2.2.3.0 have security vulns
s.add_development_dependency 'rack', '>= 2.2.3'
s.add_development_dependency 'rake', '>= 13.0.3'
# just a guess based on what I used to use
s.add_development_dependency 'rubocop', '>= 1.25.1'
# sinatra < 2.2.3 have security vulns
s.add_development_dependency 'sinatra', '>= 2.2.3'
s.add_development_dependency 'test-unit', '>= 3.2.7'

s.rdoc_options = ['--line-numbers', '--inline-source', '--title', 'Ronn']
s.require_paths = %w[lib]
Expand Down

0 comments on commit b4deb42

Please sign in to comment.