Update thor version

[rwojnarowski]

Thor changelog:
https://github.com/erikhuda/thor/blob/master/CHANGELOG.md

[AlexWayfer]

We don't need to increase the minimal version.

[rwojnarowski]

@AlexWayfer makes sense, updated

[AlexWayfer]

Looks good, thanks. CI fails from master, as I see.

[petergoldstein]

@AlexWayfer It looks like Travis is failing because of the bundler issues with bundler 2.1.0. Once Travis updates their images to use bundler 2.1.1 (or a gem update bundler is included in the CI script) CI should pass.

[petergoldstein]

@rwojnarowski @AlexWayfer Can whichever of you has access please rerun the Travis build? They should have fixed the transient bundler issue by now. So I expect the build will run clean.

I'd love to see this merged and a new version of bundler-audit released - this issue is impacting our build pipeline, and we may have to pull bundler-audit out if it doesn't get resolved soon.

[AlexWayfer]

@rwojnarowski @AlexWayfer Can whichever of you has access please rerun the Travis build?

I can't, I'm not a collaborator or maintainer.

They should have fixed the transient bundler issue by now. So I expect the build will run clean.

You can try to remake your commit (git commit --amend, for example) and push with --force.

[zaratan]

@rwojnarowski Do you have time to do it or can/should I do it (forking your PR and resubmitting?)

@postmodern Can I do something?

[rwojnarowski]

@denispasin i've rerun Travis. Still failing 61 examples, 2 failures

[keegangroth]

I think I've fixed the unit tests in #242. also for what it's worth, there's a line towards the end of the readme that calls out the thor dependency which should probably be updated in this PR (https://github.com/rubysec/bundler-audit/blob/master/README.md#requirements).

[postmodern]

Waiting for Travis to re-run due to other merges. In the future we should probably just bump the thor dep to ~> 1.0. Although, there may be an argument for continuing to support Ruby 1.9, just in case some poor soul has to fix-up a Ruby 1.9 project.

[AlexWayfer]

Thank you. We're waiting for a new release with it. 🙌

[postmodern]

@AlexWayfer currently stuck on writing new specs for Database in the 0.7.0 branch. I decided to gut the vendored DB, and just auto-download it at first run.

I suppose I could release a 0.6.x patch release, but I've rather knock out these other issues with 0.7 (support for output formats and old vendored db confusing new users).

[AlexWayfer]

@AlexWayfer currently stuck on writing new specs for Database in the 0.7.0 branch. I decided to gut the vendored DB, and just auto-download it at first run.

OK. You can make a PR and ask for help, I worked with similar things in money-oxr (already was implemented, try to improve) and Voight-Kampff (successful transition of approach from money-oxr).

Anyway, thank you for your work. You don't owe something to us, there are just our waiting wishes.

[trammel]

If you have time, a fixed 0.6.x patch release would be great, because it looks like the next rails release (6.1) https://github.com/rails/rails/blob/master/railties/railties.gemspec#L43 is going to require an updated thor

[postmodern]

@AlexWayfer see the 0.7.0 branch. I managed to fix the CLI specs, but the integrations specs are still failing. I'm tempted to delete the integration specs, since they look like duplicates of the CLI specs but execute the bin script directly.

@trammel if I can't get 0.7.0 released soon, I'll take a look at releasing 0.6.x based on the current state of master.

[AlexWayfer]

@AlexWayfer see the 0.7.0 branch. I managed to fix the CLI specs, but the integrations specs are still failing. I'm tempted to delete the integration specs, since they look like duplicates of the CLI specs but execute the bin script directly.

master is failing: https://travis-ci.org/github/rubysec/bundler-audit/builds/664847550

(locally reproducable)

Also I'm getting another error:

Failures:

  1) Bundler::Audit::Database path should prefer the user repo, iff it's as up to date, or more up to date than the vendored one
     Failure/Error: expect(subject).to eq mocked_user_path
     
       expected: "/home/alex/Projects/ruby/bundler-audit/tmp/ruby-advisory-db"
            got: "/home/alex/Projects/ruby/bundler-audit/data/ruby-advisory-db"
     
       (compared using ==)
     # ./spec/database_spec.rb:26:in `block (3 levels) in <top (required)>'

  2) CLI when auditing a secure bundle should print nothing when everything is fine
     Failure/Error: raise "FAILED #{command}\n#{result}" if $?.success? == !!options[:fail]
     
     RuntimeError:
       FAILED /home/alex/Projects/ruby/bundler-audit/bin/bundler-audit
       Name: actionview
       Version: 5.2.2
       Advisory: CVE-2019-5419
       Criticality: Unknown
       URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
       Title: Denial of Service Vulnerability in Action View
       Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1
     
       Name: actionview
       Version: 5.2.2
       Advisory: CVE-2019-5418
       Criticality: Unknown
       URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
       Title: File Content Disclosure in Action View
       Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3
     
       Name: actionview
       Version: 5.2.2
       Advisory: CVE-2020-5267
       Criticality: Unknown
       URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
       Title: Possible XSS vulnerability in ActionView
       Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2
     
       Name: loofah
       Version: 2.2.3
       Advisory: CVE-2019-15587
       Criticality: Unknown
       URL: https://github.com/flavorjones/loofah/issues/171
       Title: Loofah XSS Vulnerability
       Solution: upgrade to >= 2.3.1
     
       Name: railties
       Version: 5.2.2
       Advisory: CVE-2019-5420
       Criticality: Unknown
       URL: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw
       Title: Possible Remote Code Execution Exploit in Rails Development Mode
       Solution: upgrade to ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3
     
       Vulnerabilities found!
     # ./spec/spec_helper.rb:12:in `block in sh'
     # ./spec/spec_helper.rb:10:in `sh'
     # ./spec/integration_spec.rb:74:in `block (4 levels) in <top (required)>'
     # ./spec/integration_spec.rb:74:in `chdir'
     # ./spec/integration_spec.rb:74:in `block (3 levels) in <top (required)>'
     # ./spec/integration_spec.rb:78:in `block (3 levels) in <top (required)>'

Finished in 2.43 seconds (files took 0.13846 seconds to load)
62 examples, 2 failures

While I'm not familiar with bundler-audit, it's can be a problem with 0.7.0. But I'm going to try anyway.

[AlexWayfer]

@AlexWayfer see the 0.7.0 branch. I managed to fix the CLI specs, but the integrations specs are still failing. I'm tempted to delete the integration specs, since they look like duplicates of the CLI specs but execute the bin script directly.

I've created #252, all tests are passing (locally, lets see CI results).

UPD: Oh, there is no CI… OK, you can check it yourself.

[ylecuyer]

if I can't get 0.7.0 released soon, I'll take a look at releasing 0.6.x based on the current state of master.

Eventually what is the status? could you issue a 0.6.x release with just the thor update?

[postmodern]

Attempting to write up the ChangeLog for 0.6.2, but I see a few additional smaller features got into master (GHSA ID support and CVSSv3). Not sure if I should just release 0.6.2, bump to 0.7.0 and bump 0.7.0 to 0.8.0, or what?

[trammel]

Bump them all. It's a minor version number, but includes more fixes than expected.

[postmodern]

Bumped. Will do a second pass tomorrow and ensure @since 0.7.0 tags are all in place for any new methods.

[postmodern]

bundler-audit 0.7.0 has finally been released! Any new features should now go into the 0.8.0 branch (formally known as 0.7.0).

[sedubois]

Thank you very much @postmodern. However when I try running bundle audit I encounter this issue which was just reported: #265