Supply-chain security issue: CVE-2021-41098 (CVSS High in stale dependency) || Support for EOL'd ruby versions

[mbijon]

nokogiri <1.12.5 has a vulnerability classified as high-risk: CVE-2021-41098. However, this package is currently bundling nokogiri v1.11.0.rc2. That version 1.11.0.rc2 was released in April-2020 and appears to be in-use ONLY to maintain support for ruby v2.3 & 2.4.

Both versions of ruby have been EOL'd for more than a year (https://endoflife.date/ruby):

• ruby 2.3 EOL 3/2019
• ruby 2.4 EOL 3/2020
• Even ruby 2.5 was EOL'd, in 3/2021

To remediate:
Could this module be updated to deprecate support for ruby <2.6 & require the secure nokogiri version?

• Drop support for Ruby 2.3 and 2.4 #184
• Bumped up nokogiri version. #199

[janmg]

I think the mistake here is that the version of nokogiri is locked to 1.11.x due to the ~> operator. If it would have been set to ~> 1 it would be bundler that could pick the most suitable and secure version. I have 1.12.5 installed, but it's now not accepted because it has to be 1.11.x Instead of bumping the version number of nokogiri and faraday in this gem which now seems to be common practice given all the issues and pull requestes, the gemspec should let the environment decide what is good for them, now my logstash plugin for azure can't use this gem, because it's too narrow on the versions.

If the devs want to block the usage of insecure versions, they could include a negative to state which versions are not supported. like this ['~>1', '!<1.12.5']

https://guides.rubygems.org/patterns/#semantic-versioning

Ruby may have declared 2.5 EOL, but JRUBY 9.2.19 is still in support. Don't get me wrong, I very much in favor to leave old insecure unsupported software to die, but give people some time to update their stack.

[mbijon]

Yes, #199 uses gem "nokogiri", "~> 1", ">= 1.12.5". That would at least let bundler manage the dependencies properly.

The current spec of ~> 1.11.0.rc2 is actually causing more-significant problems. Bundler treats the ".rc2" as significant and looks for dot-dot-dot versions, ie: rc3, rc4 etc. So this gem prevents any project that includes it from even updating to the 1.11.0 release of nokogiri.

As for JRuby ... it's unfortunate they're still supporting ruby 2.5 compat. But I still think #184 should be merged, as it only drops 2.4 & 2.3.

[nertzy]

Solved for me in the gems released yesterday.