Proper Semantic Versioning

[bdwyertech]

@kou @nobu, the two most recent releases 3.2.7 and 3.2.8 should be major versions as they introduce strscan which seems to require some native extensions and compilation on systems. This is breaking my world with folks using Chef. Can you please yank those and make this 4.x.x or something?

For Chef folks looking for a fix, add the following to your cookbooks metadata.rb:

# Temporary Workaround (https://github.com/ruby/rexml/issues/131)
gem 'rexml', '= 3.2.6'

You can also install gcc in your kitchen using:

lifecycle:
  post_create:
    # Temporary Workaround (https://github.com/ruby/rexml/issues/131)
    - remote: sudo yum install -y gcc

Thanks

[spacefuntus]

This should be prioritized as impacting many.

[igorwwwwwwwwwwwwwwwwwwww]

Note that the old version of 3.2.6 is subject to a DoS CVE: https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/.

Impact of the vulnerability may be limited, but this may be a reason to favour the "install gcc" approach over pinning the old version.

[elbartostrikesagain]

+1, or at least 3.3.0 would be acceptable? Would also be nice to see the gcc dependency listed in the Readme for this project as well.

In my case, the requiring Gem is ruby-dbus which has the following: s.add_runtime_dependency "rexml". Since no version information is listed there, it doesn't actually matter what version was introduced here - it would still have broken for me. My guess is that most Chef users having problems are using the systemd cookbook.

I will recommend that ruby-dbus changes their dependency to here to have a version, such as ~> 3.2 for their current version and then they bump their version for a dependency update to the new version here as well.

For the sake of those who think they have the same problem (and the web crawlers), here is dependency chain I have that got me here:

An error occurred while installing strscan (3.1.0), and Bundler cannot continue.

       In Gemfile:
         dbus-systemd was resolved to 1.1.2, which depends on
           ruby-dbus was resolved to 0.23.1, which depends on
             rexml was resolved to 3.2.8, which depends on
        strscan

[hsbt]

Can you please yank those and make this 4.x.x or something?

It's impossible. If we yanked them, it breaks the many of Ruby application.

[bdwyertech]

Can you please yank those and make this 4.x.x or something?

It's impossible. If we yanked them, it breaks the many of Ruby application.

It breaks no one. You released two versions this morning which broke many. I highly doubt anyone pinned the versions to this yet. This is 💯 a major breaking change.

Major minor patch. This is far from a patch or a minor change.

[doconnor-clintel]

Secondary variant with (very old ruby, bundler, probably solvable but surprising):

App 77401 output: Error: The application encountered the following error: You have already activated strscan 1.0.0, but your Gemfile requires strscan 3.1.0. Since strscan is a default gem, you can either remove your dependency on it or try updating to a newer version of bundler that supports strscan as a default gem. (Gem::LoadError)
App 77401 output:     /home/clintel/.rbenv/versions/2.6.10/lib/ruby/2.6.0/bundler/runtime.rb:319:in `check_for_activated_spec!'
App 77401 output:     /home/clintel/.rbenv/versions/2.6.10/lib/ruby/2.6.0/bundler/runtime.rb:31:in `block in setup'
App 77401 output:     /home/clintel/.rbenv/versions/2.6.10/lib/ruby/2.6.0/forwardable.rb:230:in `each'
App 77401 output:     /home/clintel/.rbenv/versions/2.6.10/lib/ruby/2.6.0/forwardable.rb:230:in `each'
App 77401 output:     /home/clintel/.rbenv/versions/2.6.10/lib/ruby/2.6.0/bundler/runtime.rb:26:in `map'
App 77401 output:     /home/clintel/.rbenv/versions/2.6.10/lib/ruby/2.6.0/bundler/runtime.rb:26:in `setup'

[kou]

Could you explain why Chef is related to REXML? #131 (comment) ?

Could you also explain what is "kitchen" in Chef context?

[elbartostrikesagain]

@kou the "kitchen" is a test environment for using Chef. It's not really relevant to the problem at hand but it's useful for those with chef/kitchen related problems to see how to install gcc. The solution above is specific to environments using yum but it's enough to get someone going the right direction.

Why Chef is related to REXML: see my dependency chain above - where it starts is the systemd cookbook is widely used, and that uses the dbus-systemd gem.

While I agree the versioning here was bad, this could be fixed this up the dependency chain - for example the version could be locked here: mvidner/ruby-dbus#143, but I'd have to keep looking up the chain for the same problems I guess.

[kou]

Thanks. If this is related to ruby-dbus (via the systemd cookbook) as you explained, the semantic versioning isn't related to this. Because ~> ... isn't used in ruby-dbus: https://github.com/mvidner/ruby-dbus/blob/5f98ee3cf506ff0bd53b72ce952b1b89881ab64a/ruby-dbus.gemspec#L28

If you don't want to use REXML 3.2.7 or later, you must pin REXML 3.2.6 by yourself. (I'm not sure whether Chef uses Gemfile for dependency management or not.)
In general, I don't recommend it because 3.2.6 or earlier has a security vulnerability: GHSA-vg3r-rm7w-2xgh
If you pin REXML, use it at your own risk.

(We don't need to change ruby-dbus because there isn't any reason that ruby-dbus needs to pin REXML. ruby-dbus can work with any versions of REXML.)

[slonopotamus]

Asciidoctor/Antora user here. 3.2.7/3.2.8 broke our CI as well. Adding dependencies (especially native) in patch-release was not a good idea.

Gem::Ext::BuildError: ERROR: Failed to build gem native extension.
    current directory: /usr/lib/ruby/gems/3.2.0/gems/strscan-3.1.0/ext/strscan
/usr/bin/ruby extconf.rb
mkmf.rb can't find header files for ruby at /usr/lib/ruby/include/ruby.h
You might have to install separate package for the ruby development
environment, ruby-dev or ruby-devel for example.
extconf failed, exit code 1
Gem files will remain installed in /usr/lib/ruby/gems/3.2.0/gems/strscan-3.1.0
for inspection.
Results logged to
/usr/lib/ruby/gems/3.2.0/extensions/x86_64-linux-musl/3.2.0/strscan-3.1.0/gem_make.out
  /usr/lib/ruby/3.2.0/rubygems/ext/builder.rb:119:in `run'
  /usr/lib/ruby/3.2.0/rubygems/ext/ext_conf_builder.rb:28:in `build'
  /usr/lib/ruby/3.2.0/rubygems/ext/builder.rb:187:in `build_extension'
  /usr/lib/ruby/3.2.0/rubygems/ext/builder.rb:221:in `block in build_extensions'
  /usr/lib/ruby/3.2.0/rubygems/ext/builder.rb:218:in `each'
  /usr/lib/ruby/3.2.0/rubygems/ext/builder.rb:218:in `build_extensions'
  /usr/lib/ruby/3.2.0/rubygems/installer.rb:846:in `build_extensions'
/usr/lib/ruby/gems/3.2.0/gems/bundler-2.4.15/lib/bundler/rubygems_gem_installer.rb:72:in
`build_extensions'
/usr/lib/ruby/gems/3.2.0/gems/bundler-2.4.15/lib/bundler/rubygems_gem_installer.rb:28:in
`install'
/usr/lib/ruby/gems/3.2.0/gems/bundler-2.4.15/lib/bundler/source/rubygems.rb:201:in
`install'
/usr/lib/ruby/gems/3.2.0/gems/bundler-2.4.15/lib/bundler/installer/gem_installer.rb:54:in
`install'
/usr/lib/ruby/gems/3.2.0/gems/bundler-2.4.15/lib/bundler/installer/gem_installer.rb:16:in
`install_from_spec'
/usr/lib/ruby/gems/3.2.0/gems/bundler-2.4.15/lib/bundler/installer/parallel_installer.rb:156:in
`do_install'
/usr/lib/ruby/gems/3.2.0/gems/bundler-2.4.15/lib/bundler/installer/parallel_installer.rb:147:in
`block in worker_pool'
/usr/lib/ruby/gems/3.2.0/gems/bundler-2.4.15/lib/bundler/worker.rb:62:in
`apply_func'
/usr/lib/ruby/gems/3.2.0/gems/bundler-2.4.15/lib/bundler/worker.rb:57:in
`block in process_queue'
/usr/lib/ruby/gems/3.2.0/gems/bundler-2.4.15/lib/bundler/worker.rb:54:in
`loop'
/usr/lib/ruby/gems/3.2.0/gems/bundler-2.4.15/lib/bundler/worker.rb:54:in
`process_queue'
/usr/lib/ruby/gems/3.2.0/gems/bundler-2.4.15/lib/bundler/worker.rb:90:in
`block (2 levels) in create_threads'
An error occurred while installing strscan (3.1.0), and Bundler cannot continue.
In Gemfile:
  asciidoctor-pdf was resolved to 2.3.15, which depends on
    prawn-svg was resolved to 0.34.2, which depends on
      rexml was resolved to 3.2.8, which depends on
        strscan

[kou]

You might have to install separate package for the ruby development
environment, ruby-dev or ruby-devel for example.

This part in the message will fix your CI.

[slonopotamus]

This part in the message will fix your CI.

I believe my CI should not have broke in the first place by a patch update of rexml. There's nothing wrong with adding/removing dependencies, but not this way by breaking everyone. I would not say a single word if 3.2.7/3.2.8 was instead called 4.x.x.

[kou]

Could you share your repository for the CI log?

[bdwyertech]

Thumbs downing people with evidence is very immature. I was able to fix my organization but it took "a village" and a monumental effort from my team to come to a resolution.

This is a Ruby core library, consumed by a wide spread of tooling. A simple acknowledgement would be the adult thing to do here.
I agree that upstream needs a better pinning strategy, but this should have been a minor or major.

[slonopotamus]

There also seems to be an API breaking change when running on JRuby.

Passing tests with rexml 3.2.6.

Failing tests with rexml 3.2.8.

The software itself didn't change at all between these two runs.

  1) Error:
AsciidoctorBibtex#test_0002_must return numeric style (IEEE) references:
REXML::ParseException: #<TypeError: wrong argument type String (expected Regexp)>
org/jruby/ext/strscan/RubyStringScanner.java:258:in `scan'
org/jruby/ext/strscan/RubyStringScanner.java:307:in `scan'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/rexml-3.2.8/lib/rexml/source.rb:199:in `match'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb:216:in `pull_event'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb:196:in `pull'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/rexml-3.2.8/lib/rexml/parsers/treeparser.rb:23:in `parse'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/rexml-3.2.8/lib/rexml/document.rb:448:in `build'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/rexml-3.2.8/lib/rexml/document.rb:101:in `initialize'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/csl-1.6.0/lib/csl/parser.rb:19:in `block in Parser'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/csl-1.6.0/lib/csl/parser.rb:42:in `parse!'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/csl-1.6.0/lib/csl.rb:58:in `parse!'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/csl-1.6.0/lib/csl/node.rb:89:in `parse!'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/csl-1.6.0/lib/csl/loader.rb:31:in `load'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/csl-1.6.0/lib/csl/style.rb:21:in `load'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/lib/asciidoctor-bibtex/style_utils.rb:24:in `is_numeric?'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/lib/asciidoctor-bibtex/processor.rb:186:in `build_bibliography_item'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/test/processor_test.rb:21:in `block in test_0002_must return numeric style (IEEE) references'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest/test.rb:98:in `block in run'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest/test.rb:195:in `capture_exceptions'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest/test.rb:95:in `block in run'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest.rb:265:in `time_it'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest/test.rb:94:in `block in run'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest.rb:360:in `on_signal'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest/test.rb:211:in `with_info_handler'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest/test.rb:93:in `run'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest.rb:960:in `run_one_method'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest.rb:334:in `run_one_method'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest.rb:321:in `block in run'
org/jruby/RubyArray.java:1821:in `each'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest.rb:320:in `block in run'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest.rb:360:in `on_signal'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest.rb:347:in `with_info_handler'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest.rb:319:in `run'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest.rb:159:in `block in __run'
org/jruby/RubyArray.java:2589:in `map'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest.rb:159:in `__run'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest.rb:136:in `run'
/home/runner/work/asciidoctor-bibtex/asciidoctor-bibtex/vendor/bundle/jruby/2.5.0/gems/minitest-5.11.3/lib/minitest.rb:63:in `block in autorun'

[adsr]

You might have to install separate package for the ruby development
environment, ruby-dev or ruby-devel for example.

This part in the message will fix your CI.

In addition, I think Ruby has be compiled with libonig support[1], which does not seem to be the case with the version of Chef we're using. For those using the gcc solution with Chef, can you share your Chef version?

[1] https://github.com/ruby/strscan/blob/ca66d48c47d2b17753a660c628606f0bf788d594/ext/strscan/extconf.rb#L5-L6

EDIT: As mentioned below, libonig is optional. I had misinterpreted gem_make.out logs which ended with checking for rb_reg_onig_match() in ruby.h... no but the actual problem was that make was not installed. So in addition to gcc, you should ensure make is installed as well. On Debian-based systems, build-essential will install both.

[apavely]

As those before me have already stated, this "patch release" shouldn't have been labeled as such, and it has broken community expectations. In general, patch releases should not add dependencies, or define minimum versions / pin them when previously undefined, particularly if they require native compilation for installation.

For those advocating gcc everywhere, bear in mind there are use cases where that is simply out-of-the-question.

In my ideal world:

1. Create a branch off of 3.2.6, then incorporate only the fix necessary to correct CVE-2024-35176, and release that result as 3.2.9. Hopefully that would not require changes to force a particular minimum version of strscan.
2. Re-release the existing 3.2.8 release as 3.3.0. I'm not sure if a major version change to 4.0.0 is fully warranted, but that could also be in the cards (as advocated by some).

While the above is not a panacea for all, and things would still break for some, it would at least be excusable and would leave the community-at-large in a (slightly) less grumpy state.

[joshcooper]

Just wanted to highlight rexml 3.2.8 is unusable on JRuby 9.3.7.0 installed via rbenv. In other words, this is different than the "you need to install gcc and ruby-devel to compile strscan with native extensions"

The following fails as a result of this line https://github.com/ruby/rexml/blob/v3.2.8/lib/rexml/parsers/baseparser.rb#L216

$ ruby -rrexml/document -e 'puts RUBY_VERSION; puts REXML::VERSION; puts StringScanner::Version; puts REXML::Document.new("<test/>")'
2.6.8
3.2.8
0.7.0
REXML::ParseException: #<TypeError: wrong argument type String (expected Regexp)>
org/jruby/ext/strscan/RubyStringScanner.java:250:in `scan'
org/jruby/ext/strscan/RubyStringScanner.java:299:in `scan'
/home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/source.rb:199:in `match'
/home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb:216:in `pull_event'
/home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb:196:in `pull'
/home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/parsers/treeparser.rb:23:in `parse'
/home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/document.rb:448:in `build'
/home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/document.rb:101:in `initialize'
org/jruby/RubyClass.java:888:in `new'
-e:1:in `<main>'
...
wrong argument type String (expected Regexp)
Line: 1
Position: 7
Last 80 unconsumed characters:
<test/>
       parse at /home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/parsers/treeparser.rb:96
       build at /home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/document.rb:448
  initialize at /home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/document.rb:101
         new at org/jruby/RubyClass.java:888
      <main> at -e:1
TypeError: wrong argument type String (expected Regexp)
        scan at org/jruby/ext/strscan/RubyStringScanner.java:250
        scan at org/jruby/ext/strscan/RubyStringScanner.java:299
       match at /home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/source.rb:199
  pull_event at /home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb:216
        pull at /home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/parsers/baseparser.rb:196
       parse at /home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/parsers/treeparser.rb:23
       build at /home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/document.rb:448
  initialize at /home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/rexml-3.2.8/lib/rexml/document.rb:101
         new at org/jruby/RubyClass.java:888
      <main> at -e:1

REXML 3.2.6 does not have this issue:

$ ruby -rrexml/document -e 'puts RUBY_VERSION; puts REXML::VERSION; puts StringScanner::Version; puts REXML::Document.new("<test/>")'
2.6.8
3.2.6
0.7.0
<test/>

Also MRI Ruby 3.2.2 and REXML 3.2.8 work:

$ ruby -rrexml/document -e 'puts RUBY_VERSION; puts REXML::VERSION; puts StringScanner::Version; puts REXML::Document.new("<test/>")' 
3.2.2
3.2.8
3.1.0
<test/>

To be clear the bug above is in the strscan gem, but when combined with rexml depending on strscan, then rexml is completely broken on JRuby 9.3. That seems worthy of yanking rexml 3.2.7 and 3.2.8.

irb(main):001:0> require 'strscan'
=> true
irb(main):002:0> scanner = StringScanner.new("one two")
=> #<StringScanner 0/7 @ "one t...">
irb(main):003:0> scanner.scan("one")
Traceback (most recent call last):
       10: from /home/josh/.rbenv/versions/jruby-9.3.7.0/bin/irb:23:in `<main>'
        9: from org/jruby/RubyKernel.java:1052:in `load'
        8: from /home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/gems/shared/gems/irb-1.0.0/exe/irb:11:in `<main>'
        7: from org/jruby/RubyKernel.java:1237:in `catch'
        6: from org/jruby/RubyKernel.java:1237:in `catch'
        5: from org/jruby/RubyKernel.java:1507:in `loop'
        4: from org/jruby/RubyKernel.java:1091:in `eval'
        3: from (irb):3:in `evaluate'
        2: from org/jruby/ext/strscan/RubyStringScanner.java:299:in `scan'
        1: from org/jruby/ext/strscan/RubyStringScanner.java:250:in `scan'
TypeError (wrong argument type String (expected Regexp))
irb(main):004:0> scanner.scan(/one/)
=> "one"
irb(main):005:0> JRUBY_VERSION
=> "9.3.7.0"
irb(main):006:0> StringScanner::Version
=> "0.7.0"
irb(main):007:0> $LOADED_FEATURES.grep /strscan/
=> ["/home/josh/.rbenv/versions/jruby-9.3.7.0/lib/ruby/stdlib/strscan.rb"]

JRuby 9.4.5.0 doesn't have this issue:

irb(main):001:0> require 'strscan'
=> true
irb(main):002:0> scanner = StringScanner.new("one two")
=> #<StringScanner 0/7 @ "one t...">
irb(main):003:0> scanner.scan("one")
=> "one"
irb(main):004:0> StringScanner::Version
=> "3.0.2"
irb(main):005:0> JRUBY_VERSION
=> "9.4.5.0"

For posterity, the issue was fixed in JRuby in jruby/jruby@c5783b9#diff-47288559b9fccc3854cf6d41fca775477a0ad0874cefee5dbae926748de4940eR368-R379

[apavely]

@kou

It's known by direct REXML users (because they don't use ~>)

Most users of REXML are not direct users. Most users simply have the expectation that most Ruby gems will behave in a particular manner. Most Ruby gems use Semantic Versioning, and it is documented as a recommendation.

From that page:

The RubyGems team urges gem developers to follow the Semantic Versioning standard for their gem’s versions. The RubyGems library itself does not enforce a strict versioning policy, but using an “irrational” policy will only be a disservice to those in the community who use your gems.

Read semver.org (日本語); please try to understand why we believe this versioning method is important, and why it has been adopted by the larger RubyGems community.

If REXML has its own versioning policy as to what constitutes a major, minor, or patch release, please elaborate.

[joshcooper]

@kou

Could you open a new issue for JRuby related things? It's not related to this.

I updated my comment above. The JRuby issue was fixed in 9.3.11.0.

It's known by direct REXML users (because they don't use ~>)

rubocop depends on rexml >= 3.2.5, < 4.0

Separately, isn't the strscan dependency going to be a major issue for Windows users, especially since XML is so common there? I'm talking specifically about cases where ruby is redistributed to non-developer servers, so there's no devkit.

[ariksu]

I would also mention, that there are Windows users of Chef, who require much more complicated solutions than "yum install gcc" or "yum install ruby-devel". I also suspect that installing dev tools on the production server is NOT a good security pattern.

[bdwyertech]

I would also mention, that there are Windows users of Chef, who require much more complicated solutions than "yum install gcc" or "yum install ruby-devel". I also suspect that installing dev tools on the production server is NOT a good security pattern.

💯💯💯

[CloCkWeRX]

No further response seems to be forthcoming for what amounts to a major mishap.
Fork?

[kou]

Read semver.org (日本語); please try to understand why we believe this versioning method is important, and why it has been adopted by the larger RubyGems community.

I know the semantic versioning.

It seems that you misunderstand that we can solve this case by using only "REXML uses the semantic versioning as its versioning schema". We need at least the followings if we use the semantic versioning based approach:

1. REXML uses the semantic versioning as its versioning schema
2. REXML users use ~> for depended REXML version

If we don't have 2., you always use the latest REXML even if we have 1.

For this case, do you have a suggestion how to do 2.?

FYI: I will not use this to stop this discussion but strscan dependency isn't related to major/minor/patch release:

https://semver.org/#what-should-i-do-if-i-update-my-own-dependencies-without-changing-the-public-api

What should I do if I update my own dependencies without changing the public API?

That would be considered compatible since it does not affect the public API. Software that explicitly depends on the same dependencies as your package should have their own dependency specifications and the author will notice any conflicts. Determining whether the change is a patch level or minor level modification depends on whether you updated your dependencies in order to fix a bug or introduce new functionality. We would usually expect additional code for the latter instance, in which case it’s obviously a minor level increment.

The semantic versioning focuses on only public API. And 3.2.7 doesn't introduce public API change. So we need to use more strict versioning schema than the semantic versioning if we use the semantic versioning based approach.

If we can discuss this case in productive way, we can keep this discussion. But if any of us can't do it, I need to stop this discussion.

[kou]

rubocop depends on rexml >= 3.2.5, < 4.0

Thanks. I don't know the RuboCop case.
It seems that there are no problem for RuboCop users. It seems that the RuboCop case is different from Chef/Asciidoctor cases.
RuboCop is used for development. Building strscan may not be a problem for the case.

[kou]

I would also mention, that there are Windows users of Chef, who require much more complicated solutions than "yum install gcc" or "yum install ruby-devel". I also suspect that installing dev tools on the production server is NOT a good security pattern.

Why do we need to use REXML with Chef on Windows? I think that systemd isn't used on Windows. So ruby-dbus isn't used.

[kou]

FYI: I've implemented #132. You can use pre-installed strscan (as a default gem) with REXML. So you don't need to build strscan.

[apavely]

If we don't have 2., you always use the latest REXML even if we have 1.

Agreed. I wasn't looking to for every case to be solved. That is, in part, the responsibility of the downstream gems and their users.

The semantic versioning focuses on only public API. And 3.2.7 doesn't introduce public API change. So we need to use more strict versioning schema than the semantic versioning if we use the semantic versioning based approach.

In my opinion, by setting a specific minimum version of a native extension dependency, you are changing the public API, albeit indirectly. This is one of the major issues when using dependencies that are native extensions.

Through no fault of their own, the previous release caused some pain when many users unexpectedly found their builds or systems breaking, including those that are "in production". We all have to be careful about how dependencies are used, as this lesson shows.

FYI: I've implemented #132. You can use pre-installed strscan (as a default gem) with REXML. So you don't need to build strscan.

Thank you. If the dependency issue is fully corrected through the change, and no further breakage occurs, then it arguably should be released as 3.2.9. Thereafter, I hope we all can be civil, as there is no need for hostility directed towards the maintainers.

In the future, when planning for a new release, if there are dependency changes (particularly if those changed dependencies will require building native extensions), it would be good to communicate with some of the direct users before such changes occur.

[paulschreiber]

This also broke iOS builds using the yukiarrr/ios-build-action GitHub action, which uses Fastlane:

[19:06:53]: Error setting value 'dev-client/ios/TerrasoLandPKS.xcworkspace' for option 'workspace'
[19:06:53]: You passed invalid parameters to 'build_app'.
[19:06:53]: Check out the error below and available options by running `fastlane action build_app`

full log.

[ariksu]

Why do we need to use REXML with Chef on Windows?

Chef cookbooks does not need to be OS-dependant and could include different recipes and cookbook references for different environment including different operating systems. However, the OS detection is execution-time, not compile-time and as such the gem dependency is built for all the dependant cookbook available.

(Last statement is my understanding, could be wrong. I'm the user of chef, not the developer)

[KJTsanaktsidis]

I know almost nothing about chef, but surely you should be installing from a Gemfile.lock to freeze the exact versions of dependencies you want. Then you can run bundle update to update the Gemfile.lock in a less anxiety producing environment than production to discover these things…

installing unconstrained software from the internet straight onto your servers seems like a bad idea

[kou]

In my opinion

In general, we should not customize well-defined definitions without changing their definition names. It makes communication difficult because each of us may think other thing with the same definition name. If the well-defined definition isn't matched for us, we should not use the original defined name.

In this case, if we want to use dependency change for versioning schema, we should not refer the semantic versioning. Because the semantic versioning definition says that dependency change isn't related to major/minor/patch release explicitly.

In the future, when planning for a new release, if there are dependency changes (particularly if those changed dependencies will require building native extensions), it would be good to communicate with some of the direct users before such changes occur.

It seems that it's not realistic. You can see all direct users by https://rubygems.org/gems/rexml/reverse_dependencies . We can't choose who should be communicated.

Can REXML users who want to improve REXML and REXML users test unreleased version in their CI (or something) instead?
If they use Gemfile, you can use gem "rexml", git: "https://github.com/ruby/rexml.git" for it.
See also: https://bundler.io/v2.5/man/gemfile.5.html

[kou]

@paulschreiber Could you open a new issue for it? It may be a regression bug. Could you also provide an XML file that is related to it and related codes that use REXML in the new issue?

[kou]

Chef cookbooks does not need to be OS-dependant and could include different recipes and cookbook references for different environment including different operating systems. However, the OS detection is execution-time, not compile-time and as such the gem dependency is built for all the dependant cookbook available.

I'm not familiar with Chef but, in general, needless dependencies should not be included for production.
If Chef users think so too, could you feedback it to Chef?

[jaredbeck]

Just in case it encourages someone else to upgrade .. I had no trouble compiling strscan on Debian 11 "bullseye".

FROM ruby:3.0.6-bullseye
...
Fetching strscan 3.1.0
Installing strscan 3.1.0 with native extensions

[kou]

REXML 3.2.9 doesn't require strscan 3.0.9 or later. It can use strscan installed as a default gem.
So this problem will be disappeared.

Semantic versioning is unrelated. I close this.

[fertrig]

I'm getting this error on 3.2.9:

REXML::ParseException - #<TypeError: wrong argument type String (expected Regexp)>
/Library/Ruby/Gems/2.6.0/gems/rexml-3.2.9/lib/rexml/source.rb:220:in `scan'
/Library/Ruby/Gems/2.6.0/gems/rexml-3.2.9/lib/rexml/source.rb:220:in `match'
/Library/Ruby/Gems/2.6.0/gems/rexml-3.2.9/lib/rexml/parsers/baseparser.rb:227:in `pull_event'
/Library/Ruby/Gems/2.6.0/gems/rexml-3.2.9/lib/rexml/parsers/baseparser.rb:207:in `pull'
/Library/Ruby/Gems/2.6.0/gems/rexml-3.2.9/lib/rexml/parsers/treeparser.rb:23:in `parse'
/Library/Ruby/Gems/2.6.0/gems/rexml-3.2.9/lib/rexml/document.rb:448:in `build'
/Library/Ruby/Gems/2.6.0/gems/rexml-3.2.9/lib/rexml/document.rb:101:in `initialize'
/Library/Ruby/Gems/2.6.0/gems/xcodeproj-1.24.0/lib/xcodeproj/workspace.rb:83:in `new'
/Library/Ruby/Gems/2.6.0/gems/xcodeproj-1.24.0/lib/xcodeproj/workspace.rb:83:in `from_s'
/Library/Ruby/Gems/2.6.0/gems/xcodeproj-1.24.0/lib/xcodeproj/workspace.rb:66:in `new_from_xcworkspace'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/installer/user_project_integrator.rb:102:in `create_workspace'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/installer/user_project_integrator.rb:71:in `integrate!'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/installer.rb:929:in `block in integrate_user_project'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/user_interface.rb:64:in `section'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/installer.rb:925:in `integrate_user_project'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/installer.rb:185:in `integrate'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/installer.rb:170:in `install!'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/command/install.rb:52:in `run'
/Library/Ruby/Gems/2.6.0/gems/claide-1.0.3/lib/claide/command.rb:334:in `run'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/command.rb:52:in `run'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/bin/pod:55:in `<top (required)>'
/usr/local/bin/pod:23:in `load'
/usr/local/bin/pod:23:in `<main>'
...
wrong argument type String (expected Regexp)
Line: 1
Position: 38
Last 80 unconsumed characters:
<?xml version="1.0" encoding="UTF-8"?>
/Library/Ruby/Gems/2.6.0/gems/rexml-3.2.9/lib/rexml/parsers/treeparser.rb:96:in `rescue in parse'
/Library/Ruby/Gems/2.6.0/gems/rexml-3.2.9/lib/rexml/parsers/treeparser.rb:21:in `parse'
/Library/Ruby/Gems/2.6.0/gems/rexml-3.2.9/lib/rexml/document.rb:448:in `build'
/Library/Ruby/Gems/2.6.0/gems/rexml-3.2.9/lib/rexml/document.rb:101:in `initialize'
/Library/Ruby/Gems/2.6.0/gems/xcodeproj-1.24.0/lib/xcodeproj/workspace.rb:83:in `new'
/Library/Ruby/Gems/2.6.0/gems/xcodeproj-1.24.0/lib/xcodeproj/workspace.rb:83:in `from_s'
/Library/Ruby/Gems/2.6.0/gems/xcodeproj-1.24.0/lib/xcodeproj/workspace.rb:66:in `new_from_xcworkspace'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/installer/user_project_integrator.rb:102:in `create_workspace'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/installer/user_project_integrator.rb:71:in `integrate!'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/installer.rb:929:in `block in integrate_user_project'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/user_interface.rb:64:in `section'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/installer.rb:925:in `integrate_user_project'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/installer.rb:185:in `integrate'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/installer.rb:170:in `install!'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/command/install.rb:52:in `run'
/Library/Ruby/Gems/2.6.0/gems/claide-1.0.3/lib/claide/command.rb:334:in `run'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/lib/cocoapods/command.rb:52:in `run'
/Library/Ruby/Gems/2.6.0/gems/cocoapods-1.15.2/bin/pod:55:in `<top (required)>'
/usr/local/bin/pod:23:in `load'
/usr/local/bin/pod:23:in `<main>'

The error goes away when using 3.2.6.

[kou]

@fertrig Thanks for your report. Could you open a new issue for it? It's not related to this issue.