flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLINK-8308) Update yajl-ruby dependency to 1.3.1 or higher
Date Wed, 31 Jan 2018 16:33:00 GMT

    [ https://issues.apache.org/jira/browse/FLINK-8308?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16347135#comment-16347135

ASF GitHub Bot commented on FLINK-8308:

GitHub user StevenLangbroek opened a pull request:


    [FLINK-8308] Remove explicit yajl-ruby dependency, update Jekyll to 3+

    ## What is the purpose of the change
    The docs dependend on `yajl-ruby` 1.2, which had a security defect. Although we don't
rely on ruby in our hosting infrastructure, it's best not to have contributors uninstall unsafe
software. This PR updates Jekyll, and removes some explicit dependencies in favour of relying
on built-in Jekyll dependencies.
    ## Brief change log
    * Update Jekyll to 3.7.2
    * Remove ruby2 distinction. Docs now depend on ruby 2.1+. Ruby 1.9 is over 10 years old,
and OS X ships with 2.3. Maintaining backwards compatibility seems undesirable to me. If you
disagree with this assumption, please let me know and let's discuss how to move forward.
    ## Verifying this change
    This change is a trivial rework / code cleanup without any test coverage.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/StevenLangbroek/flink flink_8308_yajl_ruby_dependency

Alternatively you can review and apply these changes as the patch at:


To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #5395
commit 51713d207dd266479029d5847df1b4731612b540
Author: Steven Langbroek <steven@...>
Date:   2018-01-31T16:26:28Z

    [FLINK-8308] Remove explicit yajl-ruby dependency, update Jekyll to 3+


> Update yajl-ruby dependency to 1.3.1 or higher
> ----------------------------------------------
>                 Key: FLINK-8308
>                 URL: https://issues.apache.org/jira/browse/FLINK-8308
>             Project: Flink
>          Issue Type: Task
>          Components: Project Website
>            Reporter: Fabian Hueske
>            Assignee: Steven Langbroek
>            Priority: Critical
>             Fix For: 1.5.0, 1.4.1
> We got notified that yajl-ruby < 1.3.1, a dependency which is used to build the Flink
website, has a  security vulnerability of high severity.
> We should update yajl-ruby to 1.3.1 or higher.
> Since the website is built offline and served as static HTML, I don't think this is a
super critical issue (please correct me if I'm wrong), but we should resolve this soon.

This message was sent by Atlassian JIRA

View raw message