说实话,我不是 Ruby 开发人员。我正在对 Ruby 网站进行某些修复。它托管在 Heroku 服务器上。
我所做的更改不涉及添加或删除任何宝石,而仅涉及功能更改。
由于以下问题,我无法推送我的更改:
remote: ! A security vulnerability has been detected in your application.
remote: ! To protect your application you must take action. Your application
remote: ! is currently exposing its credentials via an easy to exploit directory
remote: ! traversal.
remote: !
remote: ! To protect your application you must either upgrade to Sprockets version "2.12.5"
remote: ! or disable dynamic compilation at runtime by setting:
remote: !
remote: ! ```
remote: ! con fig.assets.compile = false #Disables security vulnerability
remote: ! ```
remote: !
remote: ! To read more about this security vulnerability please refer to this blog post:
remote: ! https://blog.heroku.com/rails-asset-pipeline-vulnerability
remote: !
remote: ! Push rejected, failed to compile Ruby app.
remote:
remote: ! Push failed
需要注意的是,网站的配置如下:
remote: -----> Ruby app detected
remote: -----> Compiling Ruby/Rails
remote: Your app was upgraded to bundler 1.15.2.
remote: Previously you had a successful deploy with bundler 1.11.2.
remote:
remote: If you see problems related to the bundler version please refer to:
remote: https://devcenter.heroku.com/articles/bundler-version
remote:
remote: -----> Using Ruby version: ruby-2.0.0
remote: -----> Installing dependencies using bundler 1.15.2
这个 ruby 版本太旧了,没有维护,我正在使用 ruby 2.5.3、bundle 1.15.2(直到出现这个错误,我才知道这个 bundle 和它的版本)
我尝试按照所述安装 gem(Sprockets 版本“2.12.5”)然后尝试推送我的更改并收到此错误:
remote:
remote: -----> Ruby app detected
remote: -----> Compiling Ruby/Rails
remote: Your app was upgraded to bundler 1.15.2.
remote: Previously you had a successful deploy with bundler 1.11.2.
remote:
remote: If you see problems related to the bundler version please refer to:
remote: https://devcenter.heroku.com/articles/bundler-version
remote:
remote: -----> Using Ruby version: ruby-2.0.0
remote: -----> Installing dependencies using bundler 1.15.2
remote: Running: bundle install --without development:test --path vendor/bundle --binstubs vendor/bundle/bin -j4 --deployment
remote: The git source `git://github.com/seyhunak/twitter-bootstrap-rails.git` uses the `git` protocol, which transmits data without encryption. Disable this warning with `bundle config git.allow_insecure true`, or switch to the `https` protocol to keep your data secure.
remote: The git source `git://github.com/activeadmin/activeadmin.git` uses the `git` protocol, which transmits data without encryption. Disable this warning with `bundle config git.allow_insecure true`, or switch to the `https` protocol to keep your data secure.
remote: You are trying to install in deployment mode after changing
remote: your Gemfile. Run `bundle install` elsewhere and add the
remote: updated Gemfile.lock to version control.
remote:
remote: The dependencies in your gemfile changed
remote:
remote: You have added to the Gemfile:
remote: * sprockets (= 2.12.5)
remote: Bundler Output: The git source `git://github.com/seyhunak/twitter-bootstrap-rails.git` uses the `git` protocol, which transmits data without encryption. Disable this warning with `bundle config git.allow_insecure true`, or switch to the `https` protocol to keep your data secure.
remote: The git source `git://github.com/activeadmin/activeadmin.git` uses the `git` protocol, which transmits data without encryption. Disable this warning with `bundle config git.allow_insecure true`, or switch to the `https` protocol to keep your data secure.
remote: You are trying to install in deployment mode after changing
remote: your Gemfile. Run `bundle install` elsewhere and add the
remote: updated Gemfile.lock to version control.
remote:
remote: The dependencies in your gemfile changed
remote:
remote: You have added to the Gemfile:
remote: * sprockets (= 2.12.5)
remote:
remote: !
remote: ! Failed to install gems via Bundler.
remote: !
remote: ! Push rejected, failed to compile Ruby app.
remote:
remote: ! Push failed
remote: Verifying deploy...
remote:
remote: ! Push rejected to somewebsite.
知道下一步怎么做吗?现在我正在谷歌搜索解决方案,但随后出现了更多错误。我尝试了bundle install,但bundle update最终出现了更多错误:
The git source `git://github.com/seyhunak/twitter-bootstrap-rails.git` uses the `git` protocol, which transmits data without encryption. Disable this warning with `bundle config git.allow_insecure true`, or switch to the `https` protocol to keep your data secure.
The git source `git://github.com/activeadmin/activeadmin.git` uses the `git` protocol, which transmits data without encryption. Disable this warning with `bundle config git.allow_insecure true`, or switch to the `https` protocol to keep your data secure.
Fetching git://github.com/seyhunak/twitter-bootstrap-rails.git
Fetching git://github.com/activeadmin/activeadmin.git
Fetching https://github.com/stripe/stripe-ruby
Fetching https://github.com/stefanoverna/activeadmin-dragonfly
Fetching https://github.com/stefanoverna/activeadmin-wysihtml5
Fetching gem metadata from https://rubygems.org/.......
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies...
该点以下的一切都呈红色 :(
Bundler could not find compatible versions for gem "actionpack":
In Gemfile:
rails (= 4.1.5) was resolved to 4.1.5, which depends on
actionpack (= 4.1.5)
twitter-bootstrap-rails was resolved to 4.0.0, which depends on
actionpack (~> 5.0, >= 5.0.1)
Bundler could not find compatible versions for gem "activesupport":
In Gemfile:
carrierwave (~> 0.10.0) was resolved to 0.10.0, which depends on
activesupport (>= 3.2.0)
activeadmin-wysihtml5 was resolved to 1.0.0, which depends on
activeadmin-dragonfly was resolved to 0.0.2, which depends on
activeadmin was resolved to 2.0.0.alpha, which depends on
kaminari (>= 1.0.1) was resolved to 1.1.1, which depends on
activesupport (>= 4.1.0)
rails (= 4.1.5) was resolved to 4.1.5, which depends on
activesupport (= 4.1.5)
rspec-rails (= 3.1.0) was resolved to 3.1.0, which depends on
activesupport (>= 3.0)
shoulda-matchers was resolved to 3.1.2, which depends on
activesupport (>= 4.0.0)
slim-rails (= 2.1.5) was resolved to 2.1.5, which depends on
activesupport (>= 3.0, < 4.2)
Bundler could not find compatible versions for gem "coffee-rails":
In Gemfile:
coffee-rails (~> 4.0.0)
xray-rails (= 0.1.14) was resolved to 0.1.14, which depends on
coffee-rails
Bundler could not find compatible versions for gem "rails":
In Gemfile:
rails (= 4.1.5)
xray-rails (= 0.1.14) was resolved to 0.1.14, which depends on
rails (>= 3.1.0)
这是我的 gem 文件。我目前有 ruby 2.5.3 和 rails 5.2.1。
source 'https://rubygems.org'
#ruby '2.1.2'
gem 'rails', '4.1.5'
gem 'pg'
gem 'sass-rails', '~> 4.0.3'
gem 'uglifier', '>= 1.3.0'
gem 'coffee-rails', '~> 4.0.0'
gem 'jquery-rails', '3.1.2'
gem 'autoprefixer-rails','3.1.0.20140911'
gem 'puma', '2.9.1'
gem 'nokogiri', '~> 1.6.3.1'
gem 'slim-rails', '2.1.5'
gem 'devise', '~> 3.3.0'
gem 'twitter-bootstrap-rails', :git => 'git://github.com/seyhunak/twitter-bootstrap-rails.git'
gem 'formtastic-bootstrap'
gem 'activeadmin', github: 'activeadmin'
gem 'cancan', '~> 1.6.10'
gem 'fancybox2-rails'
gem 'carrierwave', '~> 0.10.0'
gem "mini_magick"
gem 'stripe', :git => 'https://github.com/stripe/stripe-ruby'
gem 'stripe-ruby-mock', '~> 1.10.1.7'
gem "kaminari"
gem 'activeadmin-dragonfly', :git => 'https://github.com/stefanoverna/activeadmin-dragonfly'
gem 'activeadmin-wysihtml5', :git => 'https://github.com/stefanoverna/activeadmin-wysihtml5'
gem 'will_paginate', '~> 3.0.6'
gem 'owlcarousel-rails'
gem 'paypal-sdk-adaptivepayments'
group :production do
gem 'rails_12factor'
gem 'fog', '~> 1.23.0'
end
group :development, :test do
gem 'rspec-autotest'
gem 'autotest-rails'
gem 'rspec-rails', '3.1.0'
gem "dotenv-rails"
end
group :development do
gem 'metric_fu','4.11.1'
gem 'pry-rails', '0.3.2'
gem 'xray-rails', '0.1.14'
gem 'quiet_assets', '1.0.3'
end
group :test do
gem 'factory_girl_rails', '4.4.1'
gem 'simplecov', '0.9.0', require: false
gem 'database_cleaner', '1.3.0'
gem 'capybara'
gem 'shoulda-matchers'
end
gem 'Sprockets', '2.12.5' # added this line after the security issue I received.
答案1
有没有什么方法可以更新 Rails 网站中的所有宝石?
更新所有依赖项可能无法解决您的问题,但可以尝试一下。删除Gemfile.lock并运行bundle install。检查本指南以供其使用。
您有解决冲突,因此bundle install将继续失败。如果您想更新 sprockets,逐一解决它们是唯一的出路。您也可以像 heroku 建议的那样禁用检查:
为了保护您的应用程序,您必须升级到 Sprockets 版本“2.12.5”或通过设置禁用运行时的动态编译:config.assets.compile = false