bundle-audit reports:
Name: rest-client
Version: 1.6.8
Advisory: CVE-2015-1820
Criticality: Unknown
URL: https://github.com/rest-client/rest-client/issues/369
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses
Solution: upgrade to >= 1.8.0
But when I try to update to 1.8.0, I find there are all kinds of dependencies that can't go to 1.8.0
What am I missing? My Google-foo got me nowhere.
Additional context:
In a moment of security-mindedness, I installed bundle-audit this AM and ran it against the only app I have in prod. It's not used by anyone but my wife, but I would like it secure (the vulnerability in my case would probably require a login, which is unlikely, but still). bundle-audit reported two vulnerabilities with rest-client, and suggests upgrading to 1.8.0. Bundle update keeps pulling in version 1.6.8. I have reviewed my Gemfile, and there doesn't appear to be any explicit version requirement for any of the gems that pull in rest-client. (There is no reference to rest-client at all in the Gemfile.) gem dependency rest-client 1.6.8 shows webmock and mime-types as dependent:
gem rest-client-1.6.8
mime-types (~> 1.16)
pry (>= 0, development)
rake (~> 10.0, development)
rdoc (>= 2.4.2)
rspec (~> 2.4, development)
webmock (~> 1.4, development)
Gem rest-client-1.8.0
http-cookie (< 2.0, >= 1.0.2)
mime-types (< 3.0, >= 1.16)
netrc (~> 0.7)
pry (>= 0, development)
pry-doc (>= 0, development)
rdoc (< 5.0, >= 2.4.2, development)
rspec (~> 2.4, development)
webmock (~> 1.4, development)
When I attempt to remove rest-client 1.68, gem complains differently though:
ast-2.1.0 depends on rest-client (~> 1.6.7, development)
heroku-3.42.36 depends on rest-client (= 1.6.8)
heroku-3.42.33 depends on rest-client (= 1.6.8)
heroku-3.42.21 depends on rest-client (= 1.6.8)
heroku-3.8.4 depends on rest-client (~> 1.6.1)
heroku-3.8.3 depends on rest-client (~> 1.6.1)
heroku-3.8.2 depends on rest-client (~> 1.6.1)
heroku-3.8.1 depends on rest-client (~> 1.6.1)
heroku-3.6.0 depends on rest-client (~> 1.6.1)
heroku-3.3.0 depends on rest-client (~> 1.6.1)
heroku-3.2.3 depends on rest-client (~> 1.6.1)
heroku-3.0.1 depends on rest-client (~> 1.6.1)
parser-2.2.3.0 depends on rest-client (~> 1.6.7, development)
parser-2.2.2.6 depends on rest-client (~> 1.6.7, development)
parser-2.2.0.3 depends on rest-client (~> 1.6.7, development)
If you remove this gem, these dependencies will not be met.
When I remove it, it just gets pulled in again.
BTW, why does the removal cause additional dependencies beyond those reported by 'gem dependency' to popup? (Are they indirect?)
Thanks.
I know you posted this a year ago, but I was having the same issue so I came across it. With me the issue was that in my Gemfile I had:
gem "rest-client", "1.6.7"
I just removed the version:
gem "rest-client"
and then ran bundle update rest-client
Related
Running bundle or bundle update could not solve the problem. I've tried removing the Gemfile.lock. Seems weird that bundler could not decide that jwt (~> 2.1) should satisfy jwt (~> 1.5).
Bundler could not find compatible versions for gem "jwt":
In Gemfile:
knock was resolved to 2.1.1, which depends on
jwt (~> 1.5)
pusher-chatkit-server (~> 1.1.0) was resolved to 1.1.0, which depends on
pusher-platform (~> 0.11.2) was resolved to 0.11.2, which depends on
jwt (~> 2.1)
I'm trying to use a gem spree, which depends on kaminari (~> 1.0.1). In my Gemfile.lock, I have kaminari (= 1.1.1). This satisfies the requirement for spree, since it's greater than or equal to the last digit. However, I'm getting this error when I try to bundle:
Bundler could not find compatible versions for gem "kaminari":
In snapshot (Gemfile.lock):
kaminari (= 1.1.1)
In Gemfile:
activeadmin (~> 1.3) was resolved to 1.3.0, which depends on
kaminari (>= 0.15)
rails_admin (~> 1.3) was resolved to 1.3.0, which depends on
kaminari (< 2.0, >= 0.14)
spree (~> 3.5.0) was resolved to 3.5.0, which depends on
spree_core (= 3.5.0) was resolved to 3.5.0, which depends on
kaminari (~> 1.0.1)
Running `bundle update` will rebuild your snapshot from scratch, using only
the gems in your Gemfile, which may resolve the conflict.
I'm not sure why v1.1.1 doesn't satisfy the requirements for all the gems in question, since it seems to fall within the range for all gems in question. I tried running bundle update, but then I get a long list of gem incompatibilities, none of which make sense to me either, since their requirements all seem to fall within range of the version I have in my lock file. For instance,
Bundler could not find compatible versions for gem "activemodel":
In Gemfile:
carrierwave (~> 1.2) was resolved to 1.2.2, which depends on
activemodel (>= 4.0.0)
rails (~> 5.1.6) was resolved to 5.1.6, which depends on
activemodel (= 5.1.6)
web-console (>= 3.3.0) was resolved to 3.6.2, which depends on
activemodel (>= 5.0)
Bundler could not find compatible versions for gem "activerecord":
In Gemfile:
annotate (~> 2.7) was resolved to 2.7.4, which depends on
activerecord (< 6.0, >= 3.2)
friendly_id (~> 5.2) was resolved to 5.2.4, which depends on
activerecord (>= 4.0.0)
rails (~> 5.1.6) was resolved to 5.1.6, which depends on
activerecord (= 5.1.6)
activeadmin (~> 1.3) was resolved to 1.3.0, which depends on
ransack (~> 1.3) was resolved to 1.8.8, which depends on
activerecord (>= 3.0)
spree_gateway (~> 3.3) was resolved to 3.3.3, which depends on
spree_extension was resolved to 0.0.5, which depends on
activerecord (>= 4.2)
Bundler could not find compatible versions for gem "activesupport":
In Gemfile:
activeadmin (~> 1.3) was resolved to 1.3.0, which depends on
arbre (>= 1.1.1) was resolved to 1.1.1, which depends on
activesupport (>= 3.0.0)
carrierwave (~> 1.2) was resolved to 1.2.2, which depends on
activesupport (>= 4.0.0)
activeadmin (~> 1.3) was resolved to 1.3.0, which depends on
inherited_resources (>= 1.7.0) was resolved to 1.8.0, which depends on
has_scope (~> 0.6) was resolved to 0.7.2, which depends on
activesupport (>= 4.1)
jbuilder (~> 2.5) was resolved to 2.7.0, which depends on
activesupport (>= 4.2.0)
kaminari (~> 1.0.1) was resolved to 1.0.1, which depends on
activesupport (>= 4.1.0)
rails (~> 5.1.6) was resolved to 5.1.6, which depends on
activesupport (= 5.1.6)
activeadmin (~> 1.3) was resolved to 1.3.0, which depends on
ransack (~> 1.3) was resolved to 1.8.8, which depends on
activesupport (>= 3.0)
spring was resolved to 2.0.2, which depends on
activesupport (>= 4.2)
sass-rails (~> 5.0) was resolved to 5.0.7, which depends on
sprockets-rails (< 4.0, >= 2.0) was resolved to 3.2.1, which depends on
activesupport (>= 4.0)
Bundler could not find compatible versions for gem "kaminari":
In Gemfile:
kaminari (~> 1.0.1)
activeadmin (~> 1.3) was resolved to 1.3.0, which depends on
kaminari (>= 0.15)
rails_admin (~> 1.3) was resolved to 1.3.0, which depends on
kaminari (< 2.0, >= 0.14)
Bundler could not find compatible versions for gem "spree_core":
In Gemfile:
spree (~> 3.5.0) was resolved to 3.5.0, which depends on
spree_core (= 3.5.0)
spree_gateway (~> 3.3) was resolved to 3.3.3, which depends on
spree_core (< 4.0, >= 3.1.0)
These errors raise a whole new set of questions, since I don't see any conflicts in versions for any of the gems.
For activemodel, why can't it use 5.1.6? Doesn't that satisfy all the requirements?
For activerecord, why can't it use 5.1.6? Doesn't that satisfy all the requirements?
For activesupport, why can't it use 5.1.6? Doesn't that satisfy all the requirements?
For kaminari, why can't it use 1.0.1? Doesn't that satisfy all the requirements?
For spree_core, why can't it use 3.5.0? Doesn't that satisfy all the requirements?
How does one go about resolving these issues? I've tried running bundle update for all gems and for individual gems, but I get the same error message either way.
This satisfies the requirement for spree, since it's greater than or equal to the last digit.
That's not quite correct, the docs for Bundler's Gemfile state:
The specifier ~> has a special meaning, best shown by example. ~> 2.0.3 is identical to >= 2.0.3 and < 2.1.
So in your case, for kaminari, ~> 1.0.1 would mean '>= 1.0.1' and '< 1.1', which (obviously) 1.1.1 does not meet.
As for the others, everything looks to me like it'd work, though I notice a lot of the ones failing need something to do with spree or kaminari, so maybe fixing the one will help those. The others could also (maybe) be cascading errors, kind of like a missing parenthesis or comma in one place can cause syntax errors through the entire file, maybe just the one error is cascading through the rest of the bundle, I'd take care of Kaminari and then see what you're left with.
Have you verified whether the version of spree you're trying to install is compatible with the higher version of kaminari? try downgrading the kaminari gem to "~> 1.0.1" to see if that helps.
if that does not work, then another suggestion would be to run "bundle update" on your current gemset "before" you add "spree" to your Gemfile to make sure you are working with all the latest versions of your currently installed gems.
I'm trying to upgrade Nokogiri to version 1.7:
gem 'nokogiri', '~> 1.7'
but when I run:
bundle update --source nokogiri
I get:
Fetching gem metadata from https://rubygems.org/...........
Fetching version metadata from https://rubygems.org/...
Fetching dependency metadata from https://rubygems.org/..
Resolving dependencies.............
Bundler could not find compatible versions for gem "nokogiri":
This is in my Gemfile:
nokogiri (~> 1.7)
activemerchant (~> 1.58.0) was resolved to 1.58.0, which depends on
nokogiri (~> 1.4)
activemerchant (~> 1.58.0) was resolved to 1.58.0, which depends on
nokogiri (~> 1.4)
capybara was resolved to 2.7.0, which depends on
nokogiri (>= 1.3.3)
cucumber-rails was resolved to 1.4.3, which depends on
nokogiri (~> 1.5)
haml-rails was resolved to 0.9.0, which depends on
html2haml (>= 1.0.1) was resolved to 2.0.0, which depends on
nokogiri (~> 1.6.0)
haml-rails was resolved to 0.9.0, which depends on
html2haml (>= 1.0.1) was resolved to 2.0.0, which depends on
nokogiri (~> 1.6.0)
rails (>= 4.2.6, ~> 4.2) was resolved to 4.2.6, which depends on
actionmailer (= 4.2.6) was resolved to 4.2.6, which depends on
actionview (= 4.2.6) was resolved to 4.2.6, which depends on
rails-html-sanitizer (>= 1.0.2, ~> 1.0) was resolved to 1.0.3, which depends on
loofah (~> 2.0) was resolved to 2.0.3, which depends on
nokogiri (>= 1.5.9)
roo (~> 2.4.0) was resolved to 2.4.0, which depends on
nokogiri (~> 1)
roo-xls was resolved to 1.0.0, which depends on
nokogiri
capybara was resolved to 2.7.0, which depends on
xpath (~> 2.0) was resolved to 2.0.0, which depends on
nokogiri (~> 1.3)
Does anyone have an idea why it can't find it? I see on rubygems.org that the current version is 1.7.1 as well as on github. Do I need to specify the github source?
The problem is here:
haml-rails was resolved to 0.9.0, which depends on
html2haml (>= 1.0.1) was resolved to 2.0.0, which depends on
nokogiri (~> 1.6.0)
As you can see, html2haml depends on nokogiri (~> 1.6.0), that is not 1.7. You either need to update html2haml (so it dependency becomes nokogiri (~> 1.6)) or use nokogiri, ~> 1.6.
You could try deleting your Gemfile.lock file and running bundle install again, but i will only recommend doing it if you are not yet in production.
I think other gems are depedent on Nokogiri, so
try bundle update.
bundle update will resolve a dependency tree and try and install versions that satisfy all the other gems dependencies.
I need help understanding this bundler error message:
Bundler could not find compatible versions for gem "faraday":
In Gemfile:
metainspector (= 5.4.1) was resolved to 5.4.1, which depends on
faraday-http-cache (~> 2.0) was resolved to 2.0.0, which depends on
faraday (~> 0.8)
metainspector (= 5.4.1) was resolved to 5.4.1, which depends on
faraday_middleware (~> 0.11) was resolved to 0.11.0.1, which depends on
faraday (< 1.0, >= 0.7.4)
instagram-continued (= 1.2.1) was resolved to 1.2.1, which depends on
faraday (~> 0.9.2)
metainspector (= 5.4.1) was resolved to 5.4.1, which depends on
faraday (~> 0.11)
sendgrid-ruby (= 1.1.6) was resolved to 1.1.6, which depends on
faraday (~> 0.9)
Maybe I’m not understanding it correctly, but I don’t see where the issue is with faraday. All these dependencies seem to require a faraday version greater or equal than 0.7.4 but less than 1.0. My current version is 0.9.2. I've always understood the ~> pointer to indicate greater than or equal to. Is that incorrect?
Here is the relevant portion of my Gemfile:
gem 'instagram-continued', '1.2.1', require: "instagram"
gem 'metainspector', '5.4.1'
I was trying to add the middleman-cloudfront gem to my middleman project, but got the following error. Most of the gems needs >= 4.0 version of the the middleman-core gem, but the middleman-cloudfront requires ~> 3.0 version.
How can I solve this issue?
Bundler could not find compatible versions for gem "middleman-core":
In Gemfile:
middleman (>= 4.0.0) was resolved to 4.0.0, which depends on
middleman-core (= 4.0.0)
middleman-cloudfront (~> 0.2.1) was resolved to 0.2.1, which depends on
middleman-core (~> 3.0)
middleman-google-analytics (>= 2.1.1, ~> 2.1) was resolved to 2.1.1, which depends on
middleman-core (>= 3.4)
middleman-s3_sync (>= 4.0.3, ~> 4.0) was resolved to 4.0.3, which depends on
middleman-core (>= 4.0.0)
middleman-s3_sync (>= 4.0.3, ~> 4.0) was resolved to 4.0.3, which depends on
middleman-core (>= 4.0.0)
middleman-sprockets (~> 4.0) was resolved to 4.0.0, which depends on
middleman-core (~> 4.0)
It looks like support for v4 has been added to middleman-cloudfront, but not yet released as a new version. You can pull directly from master:
gem 'middleman-cloudfront', github: 'andrusha/middleman-cloudfront'