Dropping libxslt as a hard dependency #3532
Replies: 3 comments
-
|
@joshcooper Please see https://gitlab.gnome.org/GNOME/libxslt/-/issues/150, a few people have volunteered to step into the libxslt maintainer role. I don't personally think it's worth the effort to split out this dependency. I've been wrong before, but my current prediction is that any severe vulnerability that becomes known will be patched in a timely manner. |
Beta Was this translation helpful? Give feedback.
-
|
Ah thank you, makes sense! |
Beta Was this translation helpful? Give feedback.
-
|
Iván Chavero has stepped into the role of maintainer of libxslt: https://gitlab.gnome.org/GNOME/libxslt/-/commit/841a1805a9a9aa959b4eb9c46ba56a84e17cf871 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
libxslt is no longer maintained, see https://gitlab.gnome.org/GNOME/libxslt/-/commit/923903c59d668af42e3144bc623c9190a0f65988 and is no longer embargoing security issues (true for both libxml2 and libxslt). So it is only a matter of time before a 8+ CVE is announced in libxslt and there will be no remediation for nokogiri's vendored libxslt.
I think most consumers of nokogiri parse/manage XML, but don't need XSLT functionality. Is there interest in making the libxslt dependency optional, e.g.
gem install nokogiri --platform=ruby -- --no-libxslt?Or splitting nokogiri into two gems
nokogiri-xml&nokogiri-xslt, withnokogiribeing a meta-gem that requires both? That way consumers could just installnokogiri-xmlif that's all they care about.There is a related discussion about libxml2 in #3522, but I would expect companies with "names that rhyme with Schnapple and Froogle" to fund that project. The future of libxslt seems less clear.
Beta Was this translation helpful? Give feedback.
All reactions