0

To be honest, I am not a ruby developer. I am working on certain fixes on a ruby website. It's hosted on Heroku server.

The changes I have made doesn't involve adding or removing any gem but only functionality changes.

I am not able to push my changes due to the following issues:

remote:  !     A security vulnerability has been detected in your application.
remote:  !     To protect your application you must take action. Your application
remote:  !     is currently exposing its credentials via an easy to exploit directory
remote:  !     traversal.
remote:  !     
remote:  !     To protect your application you must either upgrade to Sprockets version "2.12.5"
remote:  !     or disable dynamic compilation at runtime by setting:
remote:  !     
remote:  !     ```
remote:  !     con fig.assets.compile = false #Disables security vulnerability
remote:  !     ```
remote:  !     
remote:  !     To read more about this security vulnerability please refer to this blog post:
remote:  !     https://blog.heroku.com/rails-asset-pipeline-vulnerability
remote:  !
remote:  !     Push rejected, failed to compile Ruby app.
remote: 
remote:  !     Push failed

Point to be noted, following are the configurations of the website:

remote: -----> Ruby app detected
remote: -----> Compiling Ruby/Rails
remote:        Your app was upgraded to bundler 1.15.2.
remote:        Previously you had a successful deploy with bundler 1.11.2.
remote:        
remote:        If you see problems related to the bundler version please refer to:
remote:        https://devcenter.heroku.com/articles/bundler-version
remote:        
remote: -----> Using Ruby version: ruby-2.0.0
remote: -----> Installing dependencies using bundler 1.15.2

This ruby version is too old and not maintained, and I am working on ruby 2.5.3, bundle 1.15.2 (until this error, I had no idea about the bundle or its version)

I tried to install the gem as mentioned (Sprockets version "2.12.5") then tried to push my changes and received this error:

remote: 
remote: -----> Ruby app detected
remote: -----> Compiling Ruby/Rails
remote:        Your app was upgraded to bundler 1.15.2.
remote:        Previously you had a successful deploy with bundler 1.11.2.
remote:        
remote:        If you see problems related to the bundler version please refer to:
remote:        https://devcenter.heroku.com/articles/bundler-version
remote:        
remote: -----> Using Ruby version: ruby-2.0.0
remote: -----> Installing dependencies using bundler 1.15.2
remote:        Running: bundle install --without development:test --path vendor/bundle --binstubs vendor/bundle/bin -j4 --deployment
remote:        The git source `git://github.com/seyhunak/twitter-bootstrap-rails.git` uses the `git` protocol, which transmits data without encryption. Disable this warning with `bundle config git.allow_insecure true`, or switch to the `https` protocol to keep your data secure.
remote:        The git source `git://github.com/activeadmin/activeadmin.git` uses the `git` protocol, which transmits data without encryption. Disable this warning with `bundle config git.allow_insecure true`, or switch to the `https` protocol to keep your data secure.
remote:        You are trying to install in deployment mode after changing
remote:        your Gemfile. Run `bundle install` elsewhere and add the
remote:        updated Gemfile.lock to version control.
remote:        
remote:        The dependencies in your gemfile changed
remote:        
remote:        You have added to the Gemfile:
remote:        * sprockets (= 2.12.5)
remote:        Bundler Output: The git source `git://github.com/seyhunak/twitter-bootstrap-rails.git` uses the `git` protocol, which transmits data without encryption. Disable this warning with `bundle config git.allow_insecure true`, or switch to the `https` protocol to keep your data secure.
remote:        The git source `git://github.com/activeadmin/activeadmin.git` uses the `git` protocol, which transmits data without encryption. Disable this warning with `bundle config git.allow_insecure true`, or switch to the `https` protocol to keep your data secure.
remote:        You are trying to install in deployment mode after changing
remote:        your Gemfile. Run `bundle install` elsewhere and add the
remote:        updated Gemfile.lock to version control.
remote:        
remote:        The dependencies in your gemfile changed
remote:        
remote:        You have added to the Gemfile:
remote:        * sprockets (= 2.12.5)
remote: 
remote:  !
remote:  !     Failed to install gems via Bundler.
remote:  !
remote:  !     Push rejected, failed to compile Ruby app.
remote: 
remote:  !     Push failed
remote: Verifying deploy...
remote: 
remote: !   Push rejected to somewebsite.

Any idea on how to proceed next? Right now I am Googling for the solutions but then getting more errors. I tried bundle install and bundle update and ended up having even more errors:

The git source `git://github.com/seyhunak/twitter-bootstrap-rails.git` uses the `git` protocol, which transmits data without encryption. Disable this warning with `bundle config git.allow_insecure true`, or switch to the `https` protocol to keep your data secure.
The git source `git://github.com/activeadmin/activeadmin.git` uses the `git` protocol, which transmits data without encryption. Disable this warning with `bundle config git.allow_insecure true`, or switch to the `https` protocol to keep your data secure.
Fetching git://github.com/seyhunak/twitter-bootstrap-rails.git
Fetching git://github.com/activeadmin/activeadmin.git
Fetching https://github.com/stripe/stripe-ruby
Fetching https://github.com/stefanoverna/activeadmin-dragonfly
Fetching https://github.com/stefanoverna/activeadmin-wysihtml5
Fetching gem metadata from https://rubygems.org/.......
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies...

Everything was red in color below this point :(

Bundler could not find compatible versions for gem "actionpack":
  In Gemfile:
    rails (= 4.1.5) was resolved to 4.1.5, which depends on
      actionpack (= 4.1.5)

    twitter-bootstrap-rails was resolved to 4.0.0, which depends on
      actionpack (~> 5.0, >= 5.0.1)

Bundler could not find compatible versions for gem "activesupport":
  In Gemfile:
    carrierwave (~> 0.10.0) was resolved to 0.10.0, which depends on
      activesupport (>= 3.2.0)

    activeadmin-wysihtml5 was resolved to 1.0.0, which depends on
      activeadmin-dragonfly was resolved to 0.0.2, which depends on
        activeadmin was resolved to 2.0.0.alpha, which depends on
          kaminari (>= 1.0.1) was resolved to 1.1.1, which depends on
            activesupport (>= 4.1.0)

    rails (= 4.1.5) was resolved to 4.1.5, which depends on
      activesupport (= 4.1.5)

    rspec-rails (= 3.1.0) was resolved to 3.1.0, which depends on
      activesupport (>= 3.0)

    shoulda-matchers was resolved to 3.1.2, which depends on
      activesupport (>= 4.0.0)

    slim-rails (= 2.1.5) was resolved to 2.1.5, which depends on
      activesupport (>= 3.0, < 4.2)

Bundler could not find compatible versions for gem "coffee-rails":
  In Gemfile:
    coffee-rails (~> 4.0.0)

    xray-rails (= 0.1.14) was resolved to 0.1.14, which depends on
      coffee-rails

Bundler could not find compatible versions for gem "rails":
  In Gemfile:
    rails (= 4.1.5)

    xray-rails (= 0.1.14) was resolved to 0.1.14, which depends on
      rails (>= 3.1.0)

This is my gem file. I am currently having ruby 2.5.3 and rails 5.2.1.

source 'https://rubygems.org'

#ruby '2.1.2'
gem 'rails', '4.1.5'
gem 'pg'
gem 'sass-rails', '~> 4.0.3'
gem 'uglifier', '>= 1.3.0'
gem 'coffee-rails', '~> 4.0.0'
gem 'jquery-rails', '3.1.2'
gem 'autoprefixer-rails','3.1.0.20140911'
gem 'puma', '2.9.1'
gem 'nokogiri', '~> 1.6.3.1'
gem 'slim-rails', '2.1.5'
gem 'devise', '~> 3.3.0'
gem 'twitter-bootstrap-rails', :git => 'git://github.com/seyhunak/twitter-bootstrap-rails.git'
gem 'formtastic-bootstrap'
gem 'activeadmin', github: 'activeadmin'
gem 'cancan', '~> 1.6.10'

gem 'fancybox2-rails'

gem 'carrierwave', '~> 0.10.0'
gem "mini_magick"
gem 'stripe', :git => 'https://github.com/stripe/stripe-ruby'
gem 'stripe-ruby-mock', '~> 1.10.1.7'
gem "kaminari"

gem 'activeadmin-dragonfly', :git => 'https://github.com/stefanoverna/activeadmin-dragonfly'
gem 'activeadmin-wysihtml5', :git => 'https://github.com/stefanoverna/activeadmin-wysihtml5'

gem 'will_paginate', '~> 3.0.6'

gem 'owlcarousel-rails'

gem 'paypal-sdk-adaptivepayments'

group :production do
  gem 'rails_12factor'
  gem 'fog', '~> 1.23.0'
end

group :development, :test do
  gem 'rspec-autotest'
  gem 'autotest-rails'
  gem 'rspec-rails', '3.1.0'
  gem "dotenv-rails"
end

group :development do
  gem 'metric_fu','4.11.1'
  gem 'pry-rails', '0.3.2'
  gem 'xray-rails', '0.1.14'
  gem 'quiet_assets', '1.0.3'
end

group :test do
  gem 'factory_girl_rails', '4.4.1'
  gem 'simplecov', '0.9.0', require: false
  gem 'database_cleaner', '1.3.0'
  gem 'capybara'
  gem 'shoulda-matchers'
end

gem 'Sprockets', '2.12.5' # added this line after the security issue I received.
Curious Developer
  • 105
  • You need to upgrade much more than just sprockets. – Michael Hampton Nov 27 '18 at 11:39
  • @MichaelHampton yes, I can see that. I just want to know what is a good way to update everything, as for now, I am having a lot of issues and it is very frustrating to see these plugins are not getting updated on their own. – Curious Developer Nov 28 '18 at 05:53
  • Do I need to completely trash my Ubuntu and install it again or can any one fix it? – Curious Developer Nov 28 '18 at 07:47
  • Also, I happen to have rvm and rbenv both and whenever I switch ruby version, earlier the system was showing some path error but not system is not allowing me to switch due to some permission errors. Maybe because I gave 777 permission to /home/.rvm and ''/usr/local/rvm folders – Curious Developer Nov 28 '18 at 07:50
  • bundler update will update everything (within constraints of your Gemfile). However, it is unlikely, your app will continue to function if you update everything. You don't need to uninstall Ubuntu :P However, you will have to take time to resolve these conflicts one by one. Beside increasing versions, you can also decrement them and see it works. Fox example, downgrade twitter-bootstrap-rails to 3.2.2 which has support for rails 4.1 – sonalkr132 Nov 28 '18 at 13:08
  • @sonalkr132 Thanks for replying. Perhaps you can provide me with a guide or link that can help me fix this issue! – Curious Developer Nov 29 '18 at 05:46
  • @sonalkr132 Can you please tell me a way to update all my gems in rails website? It contains a gem file which contains a list of gems with their version used in the website currently. I think, if I update all the bundles, the website can start working. Then I will push those updates if any and new Gem lock file to the server and keep the heroku server website running. – Curious Developer Nov 29 '18 at 05:49

1 Answers1

0

a way to update all my gems in rails website?

Updating all dependencies may not fix your issue but sure, give it a try. Delete Gemfile.lock and run bundle install. Check this guide for its use.

You have resolution conflicts so bundle install will continue to fail. Resolving them one by one is you only way out if you want to update sprockets. You could also disable the check like heroku suggests:

To protect your application you must either upgrade to Sprockets version "2.12.5" or disable dynamic compilation at runtime by setting: config.assets.compile = false

sonalkr132
  • 101
  • Thanks for providing the Guide, I will look into it for sure.

    To protect your application you must either upgrade to Sprockets version "2.12.5" or disable dynamic compilation at runtime by setting: config.assets.compile = false. Does it stop testing for security? What exactly it do?

    Also, is there any way to only push my updates in the code regardless of any ruby or gem changes? Or maybe any heroku cpanel, that will allow me to update the code directly on their cpanel and let me fix the issue on the website, without having the need to go through all the trouble?

     – Curious Developer Nov 29 '18 at 07:16
  • I did what you suggested but the problem still exists. – Curious Developer Nov 30 '18 at 13:05
  • There is no ruby version specified in the gem file and rails version is 4.1.5. and I am using ruby 2.5.3 and rails 5.2.1. Should I downgrade the rails? Which version of ruby should I go for? – Curious Developer Nov 30 '18 at 13:09
  • Check my original post, I have added the original gem file of the website. – Curious Developer Nov 30 '18 at 13:12