Remove REXML instead of patching it
There have been at least 3 rexml vulerabilities to date,
having to patch ruby just to make sure it's not being used is taking a lot
Afaik most people do not use xml anyway (and especially not rexml), just
for comparison: it would make much more sense to have json included, but
So let's just drop it & make it a gem.
Updated by luislavena (Luis Lavena) over 4 years ago
What about gem-ification of rexml and allow patches be distributed as gems that can be updated?
(like default gems: json, psych, etc)
I think the introduction of default gem for rexml falls into minor version changes and will allow faster responses and alternate upgrade/mitigation paths.
Updated by yb601 (Iain Barnett) over 4 years ago
Erik Michaels-Ober wrote:
I believe semantic versioning prevents doing this until Ruby 3 is released (many years from now) but I agree that this issue should be added to the Ruby 3 roadmap.
Wedding release schedules to specific version numbers is what got Perl in such a mess. Shouldn't the version numbers follow what happens in the code and not the other way round? If a change means the version number goes up to 3 then so what! The other stuff that would've been in 3 goes in 4… or 5 or 6.
+1 from me either for the original idea or Luis' idea.