Lock Nokogiri version for Webrat monkey-patch #5745
Conversation
|
@jrichy1 I don't understand what you mean. Where exactly are you tagged? |
|
I'm not a committer, but I don't think this PR is mergeable. Locking devise to an older version of Nokogiri, a gem that gets a lot of security updates will lock out a lot of users for long ago compatibility support. Better to drop ruby 2.7 (which is not compatible with latest Rails versions and went EOL in 2023: https://endoflife.date/ruby) Also FYI #2469 is an issue not a PR, and has no attached code. And as an aside, webrat (last update 10 years ago) needs to be dropped - not most likely with capybara - which is the logical upgrade path. But we'd need to see a lot of commiter enthusiasm before anyone would do a PR on that. |
|
Sorry, the link to #2469 was wrong. Should have been sparklemotion/nokogiri#2469. Nokogiri is only used in tests, so there is no real security issue. But I agree that it is time to drop Ruby 2.7 support. |
Oops - yes missed that it was in Gemfile not gemspec... Sorry
👍 |
The monkey-patch
#2469in test/support/webrat/matchers.rb is not compatible with Nokogiri ≥ 1.17, so many tests are currently failing.Nokogiri dropped support for Ruby 2.7 in 1.16 which is still supported by Devise, so locking Nokogiri to < 1.17 seems like the easiest fix.