Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please cut a new release #501

Closed
johnnyshields opened this issue Nov 14, 2016 · 39 comments
Closed

Please cut a new release #501

johnnyshields opened this issue Nov 14, 2016 · 39 comments
Assignees
Labels
Done in caxlsx This has already been solved in the caxlsx fork.

Comments

@johnnyshields
Copy link

No description provided.

@zaccari
Copy link
Contributor

zaccari commented Nov 23, 2016

The older version of rubyzip has JRuby ObjectSpace enabled which can lead to degraded performance and was fixed in 1.2.0 here (also referenced in #468). Is there anything I can help with to get axlsx to work with the latest rubyzip? My short-term fix is to patch the older gem when deploying to production but it would be nice to have the fixes in a new gem build.

@numbcoder
Copy link

Please push a new release!
The older version of rubyzip conflicts with other gems

@matthewrudy
Copy link

The rubyzip issue seems resolved?
And now Ruby 2.4.0 is released, would be great to avoid Fixnum deprecation warnings.

@radar
Copy link

radar commented Dec 29, 2016

This gem conflicts with roo's dependency on rubyzip (roo 2.6.0 has a rubyzip dependency of < 2.0.0, ~> 1.1). I'm using both axlsx and roo on a project here and it would help greatly if we could have a new release of axlsx which bumped this rubyzip dependency.

The new version doesn't even need to be off master. It could be off the latest tag and have just one commit in it which bumps the dependency.

@zealot128
Copy link

zealot128 commented Mar 2, 2017

Any progress on that issue so far?
Unfortunately, Rubyzip 1.0.0 ist not recommended anymore and now part of the Ruby security advisory db:

Name: rubyzip
Version: 1.0.0
Advisory: CVE-2017-5946
Criticality: Unknown
URL: https://github.com/rubyzip/rubyzip/issues/315
Title: Directory traversal vulnerability in rubyzip
Solution: upgrade to >= 1.2.1

Vulnerabilities found!

As of now, it is not possible to run a secure rubyzip version together with a Gem version of axlsx.

@panozzaj
Copy link

panozzaj commented Mar 2, 2017

Thank you for maintaining this gem! Came here because of the CVE listed above by @zealot128, which is causing our build to fail today due to running bundle audit to check for known security vulnerabilities.

I can definitely understand that the eventual long-term solution needs regression testing based on reading #419.

I think @radar's proposal of cutting a new gem version that just makes the rubyzip version more flexible but is otherwise identical to the latest release could be a short-term solution if the portions of the rubyzip interface that axlsx uses are not broken by using the newer version of rubyzip. I have not been actively involved with the project, so I could be wrong.

@blackst0ne
Copy link

Could you please update the gem?
I came here because of rubyzip.

@fabn
Copy link

fabn commented Mar 3, 2017

CI builds are failing (using bundle-audit check --update) because of this and I cannot upgrade rubyzip because it's locked by axlsx:

Bundler could not find compatible versions for gem "rubyzip":
  In Gemfile:
    rubyzip (>= 1.2.1)

    axlsx was resolved to 2.0.1, which depends on
      rubyzip (~> 1.0.0)

@bolek
Copy link

bolek commented Mar 3, 2017

same here :(

@gottfrois
Copy link

any update on this?

@thbar
Copy link

thbar commented Mar 9, 2017

Ping @randym @snood1205 - not sure who is able to publish a new release? This is especially important because of the rubyzip security issue.

@snood1205
Copy link
Contributor

@thbar I'm flattered, but I'm not a member of this team, I just PR'd that fix. You can use the bleeding-edge version with gem 'axlsx', git: 'https://github.com/randym/axlsx', branch: 'master' in your gemfile.

@fxfilmxf
Copy link

@randym any update on a new release?

@radar
Copy link

radar commented Mar 14, 2017

If there was an update don't you think he would've posted by now?

@thbar
Copy link

thbar commented Mar 14, 2017

@radar I'm more wondering "what needs work for a new release / who & how could we help to do it", but not feeling entitled to anything 😄. My main concern is that some less zealous users, by default, will install axlsx with a vulnerable rubyzip by default. What can we do to make sure this doesn't happen?

@blackst0ne
Copy link

@randym, could you, please, update the gem?

@randym
Copy link
Owner

randym commented Mar 21, 2017

Thanks to all for the kick in the pants. Clearly I need to get at least a pre-release out so do we have any volunteers to run

https://github.com/randym/axlsx/blob/master/examples/example.rb

and confirm functionality without errors (master) on:

  • office 2011 mac
  • excel 2013 windows
  • excel 2016 mac and windows
  • office 365
  • office online

@jbotelho2-bb
Copy link

jbotelho2-bb commented Mar 21, 2017

I was able to test on Mac.

Some of them gave an error like:

Excel could not open example_streamed.xlsx because some content is unreadable. Do you want to open and repair this workbook?

After which I was able to collect a recovery log.

Excel 2016 Mac

  • cached_formula.xlsx PASS
  • example.xlsx FAIL
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<recoveryLog xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"><logFileName>Repair Result to example_streamed2.xml</logFileName><summary>Errors were detected in file '/tmp/axlsx/example_streamed.xlsx'</summary><repairedRecords summary="Following is a list of repairs:"><repairedRecord>Repaired Records: Drawing from /xl/drawings/drawing1.xml (Drawing shape)</repairedRecord></repairedRecords></recoveryLog>
  • example_streamed.xlsx FAIL
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<recoveryLog xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"><logFileName>Repair Result to example0.xml</logFileName><summary>Errors were detected in file '/tmp/axlsx/example.xlsx'</summary><repairedRecords summary="Following is a list of repairs:"><repairedRecord>Repaired Records: Drawing from /xl/drawings/drawing1.xml (Drawing shape)</repairedRecord></repairedRecords></recoveryLog>
  • no-use_autowidth.xlsx PASS
  • rich_text.xlsx PASS
  • shared_strings_example.xlsx FAIL
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<recoveryLog xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"><logFileName>Repair Result to shared_strings_example0.xml</logFileName><summary>Errors were detected in file '/tmp/axlsx/shared_strings_example.xlsx'</summary><repairedRecords summary="Following is a list of repairs:"><repairedRecord>Repaired Records: Drawing from /xl/drawings/drawing1.xml (Drawing shape)</repairedRecord></repairedRecords></recoveryLog>
  • tab_color.xlsx PASS

I tested Excel 2010 on Windows as well, and saw similar errors.

@vindvaki
Copy link

@randym How do you feel about using the Open XML SDK for testing?

I tried using their OpenXmlValidator on the sheets generated by examples/example.rb and it seems to catch the same problems as Excel, but with more informative error messages. The code is incredibly simple.

I have a proof of concept running in Docker with the latest Mono image, and it would be relatively easy to set up CI around this to catch regressions in axlsx.

@thbar
Copy link

thbar commented Mar 28, 2017

(not the maintainer, just chiming in!) @vindvaki anything that could help move to an automated testing (Travis etc) would be great indeed! (even if the event it wouldn't be 100% reliable). It would help scale contributors too.

@randym
Copy link
Owner

randym commented Mar 28, 2017

@vindvaki tl;dr is YES

can you provide a public repo that implements your ideas? For me, the only blocker regarding MS's Open XML SDK is a valid visual studio license. If we can provision a build that can legally run I am 100% behind the effort. One thing I cannot find in the Open XML SDK is version support as it only seems to apply to Office 2016. While I am not opposed to limiting support to version covered by the SDK I would like to provide as much interop support as possible moving forward.

For the rest of the folks gunning for a release - I should have a few hours this Saturday to dig into the drawing errors.

@vindvaki
Copy link

@randym Here's an MVP and here's a travis build with the output. Hope it helps!

As for interop with older versions etc, I don't really know (but I think we might be able to use older versions of the SDK). I just found out about the SDK yesterday and learnt "how to C#" just for this.

@randym
Copy link
Owner

randym commented Apr 1, 2017

@jbotelho2-bb @vindvaki can you guys test against the release-3.0.0 branch please? I believe I have solved the issue with the errors you were seeing.

@vindvaki
Copy link

vindvaki commented Apr 1, 2017

@randym I still see the same issues using the Open XML SDK validator. I'll put together a PR adding the validator to the axlsx Travis build and also try to make it easier to run standalone to speed up the development cycle.

@vindvaki
Copy link

vindvaki commented Apr 24, 2017

@randym I took the time to run all the examples separately to figure out what was still broken. The examples that are reported as corrupt with Office 2016 on Mac on current master are:

  • images
  • book_view
  • hiding_sheets

I then checked out your release-3.0.0 branch, and it seems to have fixed the images example, but the other two remain corrupt.

Update: book_view and hiding_sheets were both fine; I was just running them in isolation and forgot to have at least one non-hidden worksheet, which excel does not like.

There is still something off, because Excel (for mac) keeps demanding that I save the document upon closing (which is not normal), but at least it does not report the sheet as corrupt like it used to.

Update 2: These are the examples where Excel wants me to save the file upon closing (each run individually on the branch release-3.0.0):

  • cached_formula
  • cell_style_override
  • conditional_formatting
  • defined_name
  • formula
  • images
  • merge_cells

Update 3: Seems like all of the above are also fine. My guess is that the save prompt can be blamed on a recent update of Excel for mac, since it is technically modifying the files for caching purposes (e.g. in formula, the formula value gets cached on save).

@vindvaki
Copy link

vindvaki commented Apr 25, 2017

@randym I just got my hands on Office 2007 on Windows for debugging, and found the following:

@randym
Copy link
Owner

randym commented May 9, 2017

hoping to have a few hours next Saturday to continue with pre-release work. - important part is to communicate that I have not forgotten about getting a release out.

@vindvaki - do you mean 2017? I'm not all that concerned about supporting a 10 year old version of excel with the next 3.0 release. - also - and potentially more importantly - would you mind setting up a PR that sets up docker as per the validators needs and kicks

script:
  - docker run axlsx "./validate-xlsx-files.sh"
  - bundle exec rake

that should let us allow the validate-xlsx to fail without registering a failed build for the gem as we sort out the various issues the validator tells us about. My goal here is to move toward expanding our test suite to cover any possible errors from validation without being 100% chained to it until we are ready to commit to supporting the validator.

To the best of my knowledge the 3.0 release branch will generate xlsx files without repairs and can be released with the latest ruby-zip and nokogiri updates while we sort out any validation errors from that tool.

In case anyone has some spare time - two things I am very interested in investigating prior to release (if realistic) are thread safety for folks making massive spreadsheets with multiple threads and the archive sorting issue that breaks mime detection for sidekick (just needs specs to prove we are sorting correctly) #528

@vindvaki
Copy link

vindvaki commented May 9, 2017

@randym While I did indeed use Excel 2007 😅 , I also agree that axlsx should not need to explicitly support such an old version. However, I think it's likely that if the examples work in Excel 2007, then they will also work in later versions. If you do not think the things I mentioned affect later versions, then that's fine as well.

As for the validator, there's already a PR open (see #520), which I'll amend to make the validation step non-mandatory.

@brynjargr
Copy link

@randym: Hello and thank you for this gem. I'm currently dealing with the issue of the rubyzip version 1.0.0 not being compatible with other functionality of my app, but axlsx 2.1.0.pre does not work for me either (I get a corrupt file). I do not have any need for thread safety, so I would be really interested in using the 3.0 version even before you figure that out. Is there any chance that you could release a pre-release of 3.0 so folks like myself can start using it before you get the thread safety figured out (and the archive sorting issue resolved)? It would be greatly appreciated.

@p-salido
Copy link

p-salido commented Jun 6, 2017

Can we have another release with ruby 2.4 deprecation warnings fixed please?

@jbotelho2-bb
Copy link

Any update?

@randym
Copy link
Owner

randym commented Feb 14, 2018

release-3.0.0 branch is ready to go to alpha, and I hope to publish next week. We will need to do the same 'does it work on version x of y' testing as I only have access to Excel for Mac 2011.

Depreciation warnings are fixed, specs and docs are 100%

Anyone want to preemptively try to make something that breaks on that branch? I am, as always, concerned with threading issues.

@Lenerenberg
Copy link

@randym: Is release-3.0 going to be published soon?

@randym
Copy link
Owner

randym commented Mar 16, 2018

yep.

3.0.0.pre is already released.
I am waiting a bit longer to see if any serious issues come in.

@Lenerenberg
Copy link

@pedrovitti
Copy link

Any updates on this topic? Thanks.

@coorasse
Copy link

We use the 3.0.0 since some time with no issues in different projects.

chrislo added a commit to Crown-Commercial-Service/crown-marketplace that referenced this issue Oct 17, 2018
This service class takes a list of branches and produces an equivalent
spreadsheet.

After some investigation of the available ruby gems we settled on
`axlsx` for the spreadsheet generation as it is the most
feature-complete gem available for generating spreadsheets, including
support for formulas which we are planning to use to provide some
early-stage calculator features.

Unfortunately there doesn't seem to be a gem available for generating
Open Document Format spreadsheets, which GOV.UK in particular are
pushing for[1]. Axlsx supports generating files in the competing
Office Open XML standard[2].

We are depending on the pre-release version of the gem, as it fixes
the ruby deprecation warnings we see if we run the released
version[3].

We also have to use a separate gem to allow the spreadsheets to be
read in the specs as `axlsx` doesn't support reading. For this we're
using `rubyXL` which of the available read-capable gems had an
interface which supports `StringIO` and therefore avoids writing
temporary files.

[1] https://gdstechnology.blog.gov.uk/2018/04/27/open-document-format-in-government-an-update/
[2] https://en.wikipedia.org/wiki/Office_Open_XML
[3] randym/axlsx#501 (comment)

Co-authored-by: Ben Griffiths <[email protected]>
@noniq
Copy link
Collaborator

noniq commented Dec 15, 2019

There’s now https://github.com/caxlsx/caxlsx where we have released 3.0.0, 3.0.1, and also 2.0.2 containing a backport for the rubyzip dependency problem.

@noniq noniq added the Done in caxlsx This has already been solved in the caxlsx fork. label Dec 15, 2019
@johnnyshields
Copy link
Author

@noniq thank you for caxlsx!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Done in caxlsx This has already been solved in the caxlsx fork.
Projects
None yet
Development

No branches or pull requests