[Bug]: i18n dependency version conflict for jekyll 3.9.2 preventing activesupport update to fix CVE-2023-22796

[agnostic-apollo]

Operating System

Ubuntu 21.04

Ruby Version

ruby 2.7

Jekyll Version

3.9.2

GitHub Pages Version

227

Expected Behavior

The activesupport 6.1.7.1 can be used with jekyll 3.9.x.

Current Behavior

The CVE-2023-22796 requires activesupport to be updated to 6.1.7.1 or 7.0.4.1.

The github-pages 227 gem depends on jekyll = 3.9.2, which depends on i18n ~> 0.7.

The activesupport 6.1.7.1 depends on i18n >= 1.6, < 2, which prevents an update. The activesupport 6.0.6.1 was the last version that depended on i18n >= 0.7, < 2, which then uses i18n 0.9.5 to also satisfy jekyll's i18n ~> 0.7 requirement.

To fix the issue would require using jekyll >= 4.0.0, which depends on i18n >= 0.9.5, < 2 or a new 3.9.x release with a higher i18n dependency version.

Re-post of github/pages-gem#866

CC: @parkr

Relevant log output

No response

Code Sample

No response

[parkr]

This gem supports the slugify filter. 93e3eb06d2

I filed #9269 to fix this.

[agnostic-apollo]

Great, thanks!

[agnostic-apollo]

Should also check if any other dependencies may cause problems. The tzinfo in Gemfile would need to be bumped from 1.2 to 2.0 since activesupport 6.1.7.1 depends on tzinfo ~> 2.0 compared to activesupport 6.0.6.1 depending on tzinfo ~> 1.1.

Jekyll sites like for github and gitlab pages may be using gem "tzinfo", "~> 1.2" in Gemfile by default. If some other dependency than activerecord is using a lower tzinfo, then it would cause problems. Don't see it being used by anything other than activerecord in termux site.

https://gitlab.com/pages/jekyll/-/blob/f6da695012415246ce3b612e5e760170fc40a7ac/Gemfile#L24

https://github.com/termux/termux.github.io/blob/master/Gemfile.lock

[agnostic-apollo]

Jekyll is also using both 1.2 and 2.0 for test variants for windows.

jekyll/appveyor.yml

Lines 17 to 23 in ff60d51

	matrix:
	- RUBY_FOLDER_VER: "27"
	TZINFO_VERSION: "~> 1.2"
	TEST_SUITE: "test"
	- RUBY_FOLDER_VER: "27"
	TZINFO_VERSION: "~> 2.0"
	TEST_SUITE: "test"

[ashmaroli]

To fix the issue would require using jekyll >= 4.0.0, which depends on i18n >= 0.9.5, < 2 or a new 3.9.x release with a higher i18n dependency version.

Hello @agnostic-apollo
GitHub Pages gem cannot bump to Jekyll 4 for backwards-compatibility.

Jekyll is also using both 1.2 and 2.0 for test variants for windows.

This change was made for Jekyll 4.x series and wasn't backported for 3.x series.
If your local tests show that there is a definite need to bump tzinfo version-constraint as well, feel free to open a backport pull-request to backport the relevant lib changes to 3.9-stable. (We use the script/backport-pr shell script for such tasks usually) If bumping tzinfo constraint is necessary but you're not able to submit the pull request, let us know.

[agnostic-apollo]

GitHub Pages gem cannot bump to Jekyll 4 for backwards-compatibility.

Yeah, I understand that, releasing a new 3.9.x would be the way to go for now. When I initially made the comment in the other issue, I wasn't sure if jekyll 3.x.x would be maintained since there hasn't been a release for it for almost a year. Moreover, once more and more gems start using higher versions, it may eventually require a major version bump of github pages that uses jekyll 4, even if not now, since other gems may not backport fixes indefinitely.

If your local tests show that there is a definite need to bump tzinfo version-constraint as well,

I am not working on jekyll locally or doing local tests, I only mentioned it since I saw jekyll using both versions while I was searching for the default tzinfo version for new sites. Since jekyll doesn't list tzinfo as a dependency and as you say test is for 4.x series, only pages sites that use activerecord currently would need to use 2.0.

[parkr]

On the latest 3.9-stable branch, I ran bundle update and saw:

Using tzinfo 2.0.5 (was 1.2.10)
Installing activesupport 7.0.4.2 (was 6.0.6.1)

This means tzinfo isn't likely to be an issue with installing the latest activesupport version. I ran script/cibuild locally and got a clean bill of health.

I think this issue is now fixed – i18n and tzinfo are able to be upgraded. Let me know if not!

[agnostic-apollo]

With gem 'jekyll', :github => 'jekyll/jekyll', :branch => '3.9-stable' I got the same result and site gets built locally. I guess a release can be made.

This means tzinfo isn't likely to be an issue with installing the latest activesupport version.

Yes, as long as gem "tzinfo", "~> 2.0" is used in Gemfile, since with gem "tzinfo", "~> 1.2" the activesupport version 6.0.6.1 will be chosen, which wouldn't have the CVE fix.

Thanks a lot for working on this! :)

[ashmaroli]

@parkr A little heads-up before you release this and document / declare full-fledged tzinfo-2.0 support in Jekyll 3.x (relevant only for Windows based Jekyll builds): The support requires cherry-picking certain changes from the master branch (including adding a separate test job for tzinfo-2.x.

[parkr]

Like #8880?

[parkr]

Created a backport PR: #9280