Please cut a new release

[johnnyshields]

No description provided.

[zaccari]

The older version of rubyzip has JRuby ObjectSpace enabled which can lead to degraded performance and was fixed in 1.2.0 here (also referenced in #468). Is there anything I can help with to get axlsx to work with the latest rubyzip? My short-term fix is to patch the older gem when deploying to production but it would be nice to have the fixes in a new gem build.

[numbcoder]

Please push a new release!
The older version of rubyzip conflicts with other gems

[matthewrudy]

The rubyzip issue seems resolved?
And now Ruby 2.4.0 is released, would be great to avoid Fixnum deprecation warnings.

[radar]

This gem conflicts with roo's dependency on rubyzip (roo 2.6.0 has a rubyzip dependency of < 2.0.0, ~> 1.1). I'm using both axlsx and roo on a project here and it would help greatly if we could have a new release of axlsx which bumped this rubyzip dependency.

The new version doesn't even need to be off master. It could be off the latest tag and have just one commit in it which bumps the dependency.

[zealot128]

Any progress on that issue so far?
Unfortunately, Rubyzip 1.0.0 ist not recommended anymore and now part of the Ruby security advisory db:

Name: rubyzip
Version: 1.0.0
Advisory: CVE-2017-5946
Criticality: Unknown
URL: https://github.com/rubyzip/rubyzip/issues/315
Title: Directory traversal vulnerability in rubyzip
Solution: upgrade to >= 1.2.1

Vulnerabilities found!

As of now, it is not possible to run a secure rubyzip version together with a Gem version of axlsx.

[panozzaj]

Thank you for maintaining this gem! Came here because of the CVE listed above by @zealot128, which is causing our build to fail today due to running bundle audit to check for known security vulnerabilities.

I can definitely understand that the eventual long-term solution needs regression testing based on reading #419.

I think @radar's proposal of cutting a new gem version that just makes the rubyzip version more flexible but is otherwise identical to the latest release could be a short-term solution if the portions of the rubyzip interface that axlsx uses are not broken by using the newer version of rubyzip. I have not been actively involved with the project, so I could be wrong.

[blackst0ne]

Could you please update the gem?
I came here because of rubyzip.

[fabn]

CI builds are failing (using bundle-audit check --update) because of this and I cannot upgrade rubyzip because it's locked by axlsx:

Bundler could not find compatible versions for gem "rubyzip":
  In Gemfile:
    rubyzip (>= 1.2.1)

    axlsx was resolved to 2.0.1, which depends on
      rubyzip (~> 1.0.0)

[bolek]

same here :(

[gottfrois]

any update on this?

[thbar]

Ping @randym @snood1205 - not sure who is able to publish a new release? This is especially important because of the rubyzip security issue.

[snood1205]

@thbar I'm flattered, but I'm not a member of this team, I just PR'd that fix. You can use the bleeding-edge version with gem 'axlsx', git: 'https://github.com/randym/axlsx', branch: 'master' in your gemfile.

[fxfilmxf]

@randym any update on a new release?

[radar]

If there was an update don't you think he would've posted by now?

[thbar]

@radar I'm more wondering "what needs work for a new release / who & how could we help to do it", but not feeling entitled to anything 😄. My main concern is that some less zealous users, by default, will install axlsx with a vulnerable rubyzip by default. What can we do to make sure this doesn't happen?

[blackst0ne]

@randym, could you, please, update the gem?

[randym]

Thanks to all for the kick in the pants. Clearly I need to get at least a pre-release out so do we have any volunteers to run

https://github.com/randym/axlsx/blob/master/examples/example.rb

and confirm functionality without errors (master) on:

• office 2011 mac
• excel 2013 windows
• excel 2016 mac and windows
• office 365
• office online

[jbotelho2-bb]

I was able to test on Mac.

Some of them gave an error like:

Excel could not open example_streamed.xlsx because some content is unreadable. Do you want to open and repair this workbook?

After which I was able to collect a recovery log.

Excel 2016 Mac

• cached_formula.xlsx PASS
• example.xlsx FAIL

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<recoveryLog xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"><logFileName>Repair Result to example_streamed2.xml</logFileName><summary>Errors were detected in file '/tmp/axlsx/example_streamed.xlsx'</summary><repairedRecords summary="Following is a list of repairs:"><repairedRecord>Repaired Records: Drawing from /xl/drawings/drawing1.xml (Drawing shape)</repairedRecord></repairedRecords></recoveryLog>

• example_streamed.xlsx FAIL

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<recoveryLog xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"><logFileName>Repair Result to example0.xml</logFileName><summary>Errors were detected in file '/tmp/axlsx/example.xlsx'</summary><repairedRecords summary="Following is a list of repairs:"><repairedRecord>Repaired Records: Drawing from /xl/drawings/drawing1.xml (Drawing shape)</repairedRecord></repairedRecords></recoveryLog>

• no-use_autowidth.xlsx PASS
• rich_text.xlsx PASS
• shared_strings_example.xlsx FAIL

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<recoveryLog xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"><logFileName>Repair Result to shared_strings_example0.xml</logFileName><summary>Errors were detected in file '/tmp/axlsx/shared_strings_example.xlsx'</summary><repairedRecords summary="Following is a list of repairs:"><repairedRecord>Repaired Records: Drawing from /xl/drawings/drawing1.xml (Drawing shape)</repairedRecord></repairedRecords></recoveryLog>

• tab_color.xlsx PASS

I tested Excel 2010 on Windows as well, and saw similar errors.

[vindvaki]

@randym How do you feel about using the Open XML SDK for testing?

I tried using their OpenXmlValidator on the sheets generated by examples/example.rb and it seems to catch the same problems as Excel, but with more informative error messages. The code is incredibly simple.

I have a proof of concept running in Docker with the latest Mono image, and it would be relatively easy to set up CI around this to catch regressions in axlsx.

[thbar]

(not the maintainer, just chiming in!) @vindvaki anything that could help move to an automated testing (Travis etc) would be great indeed! (even if the event it wouldn't be 100% reliable). It would help scale contributors too.

[randym]

@vindvaki tl;dr is YES

can you provide a public repo that implements your ideas? For me, the only blocker regarding MS's Open XML SDK is a valid visual studio license. If we can provision a build that can legally run I am 100% behind the effort. One thing I cannot find in the Open XML SDK is version support as it only seems to apply to Office 2016. While I am not opposed to limiting support to version covered by the SDK I would like to provide as much interop support as possible moving forward.

For the rest of the folks gunning for a release - I should have a few hours this Saturday to dig into the drawing errors.

[vindvaki]

@randym Here's an MVP and here's a travis build with the output. Hope it helps!

As for interop with older versions etc, I don't really know (but I think we might be able to use older versions of the SDK). I just found out about the SDK yesterday and learnt "how to C#" just for this.

[randym]

@jbotelho2-bb @vindvaki can you guys test against the release-3.0.0 branch please? I believe I have solved the issue with the errors you were seeing.

[vindvaki]

@randym I still see the same issues using the Open XML SDK validator. I'll put together a PR adding the validator to the axlsx Travis build and also try to make it easier to run standalone to speed up the development cycle.

[vindvaki]

@randym I took the time to run all the examples separately to figure out what was still broken. The examples that are reported as corrupt with Office 2016 on Mac on current master are:

• images
• book_view
• hiding_sheets

I then checked out your release-3.0.0 branch, and it seems to have fixed the images example, but the other two remain corrupt.

Update: book_view and hiding_sheets were both fine; I was just running them in isolation and forgot to have at least one non-hidden worksheet, which excel does not like.

There is still something off, because Excel (for mac) keeps demanding that I save the document upon closing (which is not normal), but at least it does not report the sheet as corrupt like it used to.

Update 2: These are the examples where Excel wants me to save the file upon closing (each run individually on the branch release-3.0.0):

• cached_formula
• cell_style_override
• conditional_formatting
• defined_name
• formula
• images
• merge_cells

Update 3: Seems like all of the above are also fine. My guess is that the save prompt can be blamed on a recent update of Excel for mac, since it is technically modifying the files for caching purposes (e.g. in formula, the formula value gets cached on save).

[vindvaki]

@randym I just got my hands on Office 2007 on Windows for debugging, and found the following:

• paper_width and paper_height in the :printing example cause a corruption. Using paper_size instead works (but neither paper_height nor paper_width can be present).
• <a:round/> in line_series.rb causes a corruption. Removing it seems to make Excel happy.

[randym]

hoping to have a few hours next Saturday to continue with pre-release work. - important part is to communicate that I have not forgotten about getting a release out.

@vindvaki - do you mean 2017? I'm not all that concerned about supporting a 10 year old version of excel with the next 3.0 release. - also - and potentially more importantly - would you mind setting up a PR that sets up docker as per the validators needs and kicks

script:
  - docker run axlsx "./validate-xlsx-files.sh"
  - bundle exec rake

that should let us allow the validate-xlsx to fail without registering a failed build for the gem as we sort out the various issues the validator tells us about. My goal here is to move toward expanding our test suite to cover any possible errors from validation without being 100% chained to it until we are ready to commit to supporting the validator.

To the best of my knowledge the 3.0 release branch will generate xlsx files without repairs and can be released with the latest ruby-zip and nokogiri updates while we sort out any validation errors from that tool.

In case anyone has some spare time - two things I am very interested in investigating prior to release (if realistic) are thread safety for folks making massive spreadsheets with multiple threads and the archive sorting issue that breaks mime detection for sidekick (just needs specs to prove we are sorting correctly) #528

[vindvaki]

@randym While I did indeed use Excel 2007 😅 , I also agree that axlsx should not need to explicitly support such an old version. However, I think it's likely that if the examples work in Excel 2007, then they will also work in later versions. If you do not think the things I mentioned affect later versions, then that's fine as well.

As for the validator, there's already a PR open (see #520), which I'll amend to make the validation step non-mandatory.

[brynjargr]

@randym: Hello and thank you for this gem. I'm currently dealing with the issue of the rubyzip version 1.0.0 not being compatible with other functionality of my app, but axlsx 2.1.0.pre does not work for me either (I get a corrupt file). I do not have any need for thread safety, so I would be really interested in using the 3.0 version even before you figure that out. Is there any chance that you could release a pre-release of 3.0 so folks like myself can start using it before you get the thread safety figured out (and the archive sorting issue resolved)? It would be greatly appreciated.

[p-salido]

Can we have another release with ruby 2.4 deprecation warnings fixed please?

[jbotelho2-bb]

Any update?

[randym]

release-3.0.0 branch is ready to go to alpha, and I hope to publish next week. We will need to do the same 'does it work on version x of y' testing as I only have access to Excel for Mac 2011.

Depreciation warnings are fixed, specs and docs are 100%

Anyone want to preemptively try to make something that breaks on that branch? I am, as always, concerned with threading issues.

[Lenerenberg]

@randym: Is release-3.0 going to be published soon?

[randym]

yep.

3.0.0.pre is already released.
I am waiting a bit longer to see if any serious issues come in.

[Lenerenberg]

Thanks, I was looking at https://github.com/randym/axlsx/releases instead of https://rubygems.org/gems/axlsx/versions/3.0.0.pre

[pedrovitti]

Any updates on this topic? Thanks.

[coorasse]

We use the 3.0.0 since some time with no issues in different projects.

[noniq]

There’s now https://github.com/caxlsx/caxlsx where we have released 3.0.0, 3.0.1, and also 2.0.2 containing a backport for the rubyzip dependency problem.

[johnnyshields]

@noniq thank you for caxlsx!