なぜ行ったのか
RubyGemsに脆弱性があるので、rbenv-each
を導入して、まとめてコマンドを実行してみた。
週刊Railsウォッチ(20190311-1/2前編)「Rails Conductor」14年ぶり復活なるか?、RubyGemsに複数の脆弱性、2009年のRailsエコシステムほか
rbenv/rbenv-each: rbenv plugin to Run a command across all installed rubies.
インストール方法
公式リポジトリより
$ git clone https://github.com/rbenv/rbenv-each.git "$(rbenv root)"/plugins/rbenv-each # インストール確認 $ rbenv help each Usage: rbenv each [-v] <command> [arg1 arg2...] Executes a command for each Ruby version by setting RBENV_VERSION. Failures are collected and reported at the end. -v Verbose mode. Prints a header for each ruby.
動作確認
このコードを参考に、Rubyのすべてのバージョンで、そのバージョン情報を出力する。
$ rbenv each ruby -e 'puts "ruby #{RUBY_VERSION} (#{RUBY_RELEASE_DATE} patchlevel #{RUBY_PATCHLEVEL}) [#{RUBY_PLATFORM}]"' ruby 2.2.8 (2017-09-14 patchlevel 477) [x86_64-darwin16] ruby 2.5.1 (2018-03-29 patchlevel 57) [x86_64-darwin16]
いざアップデート
脆弱性の修正パッチが当たっているのがRuby2.4以降らしいので、それより前は失敗する。この場合は 2.2.8
のupdateは失敗することに。
$ rbenv each gem update --system Updating rubygems-update Fetching: rubygems-update-3.0.3.gem (100%) ERROR: Error installing rubygems-update: rubygems-update requires Ruby version >= 2.3.0. ERROR: While executing gem ... (NoMethodError) undefined method `version' for nil:NilClass Updating rubygems-update Fetching rubygems-update-3.0.3.gem Successfully installed rubygems-update-3.0.3 Parsing documentation for rubygems-update-3.0.3 Installing ri documentation for rubygems-update-3.0.3 Installing darkfish documentation for rubygems-update-3.0.3 Done installing documentation for rubygems-update after 40 seconds Parsing documentation for rubygems-update-3.0.3 Done installing documentation for rubygems-update after 0 seconds Installing RubyGems 3.0.3 Bundler 1.17.3 installed RubyGems 3.0.3 installed Regenerating binstubs Parsing documentation for rubygems-3.0.3 Installing ri documentation for rubygems-3.0.3 === 3.0.2 / 2019-01-01 Minor enhancements: * Use Bundler-1.17.3. Pull request #2556 by SHIBATA Hiroshi. * Fix document flag description. Pull request #2555 by Luis Sagastume. Bug fixes: * Fix tests when ruby --program-suffix is used without rubygems --format-executable. Pull request #2549 by Jeremy Evans. * Fix Gem::Requirement equality comparison when ~> operator is used. Pull request #2554 by Grey Baker. * Unset SOURCE_DATE_EPOCH in the test cases. Pull request #2558 by Sorah Fukumori. * Restore SOURCE_DATE_EPOCH. Pull request #2560 by SHIBATA Hiroshi. === 3.0.1 / 2018-12-23 Bug fixes: * Ensure globbed files paths are expanded. Pull request #2536 by Tony Ta. * Dup the Dir.home string before passing it on. Pull request #2545 by Charles Oliver Nutter. * Added permissions to installed files for non-owners. Pull request #2546 by SHIBATA Hiroshi. * Restore release task without hoe. Pull request #2547 by SHIBATA Hiroshi. ------------------------------------------------------------------------------ RubyGems installed the following executables: /Users/yamakawa00/.anyenv/envs/rbenv/versions/2.5.1/bin/gem /Users/yamakawa00/.anyenv/envs/rbenv/versions/2.5.1/bin/bundle Ruby Interactive (ri) documentation was installed. ri is kind of like man pages for Ruby libraries. You may access it like this: ri Classname ri Classname.class_method ri Classname#instance_method If you do not wish to install this documentation in the future, use the --no-document flag, or set it as the default in your ~/.gemrc file. See 'gem help env' for details. RubyGems system software updated FAILED IN: 2.2.8
結果として、2.5.1
しか脆弱性修正対象のバージョンがなかったので、rbenv-each
を導入する必要がなかったのではと思ったが、何事も経験なので。