Upgrade carrierwave to 3.0.4

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Label this issue
• Close this issue

Summary

We are currently depending on carrierwave ~> 1.3. This means we currently ship carrierwave 1.3.1 , which was released in 2018-12-29 (currently: 1.3.4 which includes a backport for a ruby 2.7 issue).

We should update to latest and/or at least 2.1.x.

We should consider going directly to latest 3.x, as per @stanhu comments here: #216067 (comment 593408556) it seems it behaves more like V1 regarding object storage behavior, which simplify things a lot for us.

Because we have made some heavy customizations on our usage of carrierwave, that will create some extra challenges on reviewing the code. Hopefully no change will be required other than the gem update.

If we have code in place to "fix" something that was fixed upstream we should consider simplifying and removing our band-aids.

Additional information

Changelog starting on 3.x:

3.0.4 - 2023-10-08

Fixed

• Fix model's dirty state remaining after update (@rajyan #2707, #2702)
• Fix #dup modifying the original object (@rajyan #2690, #2706, #2689, #2700)
• Fix #dup not respecting the :mount_on option, causing MissingAttributeError (@marsz #2691)

3.0.3 - 2023-08-21

Fixed

• Fix #dup modifying the original object (@mshibuya 37f36f7, #2687)
• Fix wrongly removing files on transaction rollback (@mshibuya, @rajyan eb03fe1, #2686, #2685)

3.0.2 - 2023-08-01

Fixed

• Fix deduplicated filename not being persisted (@mshibuya #2679, #2678, #2677)

3.0.1 - 2023-07-22

Fixed

• Fix not respecting the parent's #enable_processing value after reading its own (@mshibuya 2df0f53, #2676)
• Fix NoMethodError when a record is rolled back (@y-yagi #2674, #2675)
• Fix filename suffix being removed due to unnecessary deduplication (@mshibuya d68a111, #2672)
• Fix #dup causing unintended name deduplication of copied files (@mshibuya b732acd, #2670)
• Fix initialization failing when active_support/core_ext is not loaded yet (@mshibuya 875d972)

3.0.0 - 2023-07-02

No changes.

3.0.0.rc - 2023-06-11

Added

• Support adding suffix to filename on store when path collides with the existing ones (@mshibuya 07a5632, #1855)
• Add image dimension validation (@TsubasaYoshida #2592, 3b1f8b4)
• Provide validation error details via ActiveModel::Errors#details (@mshibuya 9013999, #2150)
• Support clearing #remote_urls by assigning nil (@mshibuya 8307f93, #2067)
• Support configuration of download retry wait time (@tricknotes #2646)
• Support for ActiveRecord::Base#dup (@mshibuya, @BrianHawley 19b33b8, #2645, #1962)
• Add CarrierWave::Storage::Fog::File#to_file for interface consistency with SanitizedFile (@mshibuya 68ce83a, #1960)
• Allow SanitizedFile to accept read with an optional length and output_buffer arguments (@mshibuya 9096459, #1959)

Changed

• Stop relying on ActiveModel::Dirty change tracking for removal of unnecessary files (@mshibuya aac25c1)
• Create versions lazily to reflect subclass configurations properly (@mshibuya 1531a67, #1957, #2619)
• [BREAKING CHANGE] Use the resulting file extension on changing format by :convert (@mshibuya #2659, #2125, #2126, #2254)
• Prioritize Magic-detected content type for spoof-tolerance (@mshibuya a2ca59c, #2570)
• Handle assignments in an ActiveModel::Dirty-friendly way (@mshibuya #2658, #2404, #2409, #2468)
• Give a stable name to classes created by the mount_uploader block (@mshibuya f5b09b8, #2407, #2471)
• Give a stable name to version classes (@mshibuya a9de756, #2407, #2471)

Fixed

• Fix CarrierWave::Storage::Fog::File#read breaking when the file doesn't exist (@mshibuya 246eb01, #2524)
• Fix to preserve the original URI as much as possible on download (@mshibuya 2f3afaf, #2631)
• Fix not to invoke content type detection on #copy_to as it's costly (@mshibuya 6c6e2dc, #2465)
• Fix calling #=~ on non-String breaking in Ruby 3.2 (@aubinlrx #2653, fd03ddd)
• Fix #clean_cache! to respect the uploader's root, not the global one (@sawasaki-narumi #2652, 3cb9992, #2113)
• Fix to use helper method #fog_provider instead of checking #fog_credentials (@joshuamsager #2660)
• Fix being unable to delete a file by assigning nil (@mshibuya f8ea354, #2654, #2613)
• Fix to raise exception when ImageMagick is not installed (@mshibuya d90c399, #2060)
• Fix to remove unnecessary floodfill in CarrierWave::RMagick#resize_and_pad (@mshibuya f34a9bd)
• Fix #{column}_cache= fails to be stored when set as a nested attribute (@mshibuya e84d11e, #2206)
• Fix to use AWS S3 regional endpoints when using virtual-hosted style (@mshibuya 8dace34, #2523)
• Fix to respect condition on processing a derived version (@mshibuya 1fecddc, #2516)
• Fix #recreate_versions! affecting the original file (@mshibuya a67bfb6, 5f00715, #2480, #2655)
• Fix remove_#{column}! doesn't remove the file immediately (@mshibuya b719fb3, #2540)
• Fix column value populated without a file when using filename override (@mshibuya f1eff6e, #2284)
• Fix boolean configurations couldn't be set to false on a per-uploader basis (@megane42 #2642)
• Fix #clean_cache! breaking with directories that doesn't conform to CarrierWave's cache_id format (@BrianHawley #2641)

3.0.0.beta - 2022-11-19

Added

• Add basename and fix extension value for fog file (@leductienttkt #2587)
• Allow uploaders to accept unless conditions (@Vpatel1093 #2588)
• Add retry option to download from remote url (@tashirosota #2577)

Deprecated

• #denylist was deprecated to prefer explicitly opting-in (@mshibuya 7a40ef7, #2536)

Changed

• Completely migrate to allowlist/denylist terminology (@mshibuya 7a40ef7, #2536)
• Remove implementation-dependent information from an error message (@akihikodaki #2499)
• Replace mini_mime with marcel (@pjmartorell #2552)
• [BREAKING CHANGE] Change to store files on after_save hook instead of after_commit, with performing cleanup when transaction is rolled back (@fsateler #2546)

Removed

• Drop support for Ruby < 2.5 and Rails 5.x (@mshibuya 229594f)
• Remove support for Merb (@seuros #2566)

Fixed

• Add Workaround for 'undefined method closed?' error caused by ssrf_filter 1.1 (@mshibuya 65bf0d9, #2628)
• Fix Ruby 2.7 keyword argument warning in uploader process (@nachiket87 #2636, #2635)
• Raise DownloadError when no content is returned (@BrianHawley #2633, #2632)
• Add workaround for the API change in ssrf_filter 1.1 (@BrianHawley #2629, #2625)
• Fix Content-Type not being copied when using fog-google (@smnscp #2614)
• Fix failing to save after limiting the columns with ActiveRecord's #select (@wonda-tea-coffee #2613, #2608)
• Fix content type detection for JSON files (@smnscp #2618)
• Remove invalid byte sequences from the sanitized filename (@alexdunae #2606)
• Fix issue with copying a fog file larger than 5GB (@slonopotamus #2583)
• Stop closing StringIO-based file after CarrierWave::SanitizedFile#read (@aleksandrs-ledovskis #2571)

Changelog since 1.3.1 to 2.x:

2.2.4 - 2023-06-10

###Fixed

• Fix Ruby 2.7 keyword argument warning in uploader process ( @SuperTux88 #2665, #2636, #2635)

2.2.3 - 2022-11-21

Fixed

• Add workaround for 'undefined method closed?' error caused by ssrf_filter 1.1 (@mshibuya c74579d, #2628)
• Add workaround for the API change in ssrf_filter 1.1 (@BrianHawley #2629, #2625)

2.2.2 - 2021-05-28

Fixed

• Fix no implicit conversion of CSV into String error when parsing a CSV object (@pjmartorell #2562, #2559)

2.2.1 - 2021-03-30

Changed

• Replace mimemagic with marcel due to licensing concern (@pjmartorell #2551, #2548)

Fixed

• Fog storage's #clean_cache! breaks when non-cache objects exist in cache_dir (@mshibuya 42c620a1, #2532)

2.2.0 - 2021-02-23

Added

• libvips support through ImageProcessing::Vips and ruby-vips (@rhymes #2500, e8421978, 4ae8dc64)
• Provide alternatives to whitelist/blacklist terminology as allowlist/denylist, while old ones are still available but deprecated (@grantbdev #2442, 4c3cac75, #2491)
• Support for the latest version of RMagick (@mshibuya 88f24451)

Deprecated

• #(content_type|extension)_whitelist, #(content_type|extension)_blacklist are deprecated. Use #(content_type|extension)_allowlist and #(content_type|extension)_denylist instead (@grantbdev #2442, 4c3cac75)

Fixed

• Calculate Fog expiration taking DST into account (@mshibuya, f90e14ca, #2059)
• Set correct content type on copy of fog files (@ZuevEvgenii #2503, 6682f7ac, #2487)
• Fix fog-google support to pass acl_header for public read if fog is public (@yosiat #2525, #2426)
• Fix various URL escape issues by escaping on URI parse error only (@mshibuya 3faf7491, #2457, #2473)
• Fix instance variables @versions_to_* not initialized warning (@mshibuya c10b82ed, #2493)
• Fix SanitizedFile#move_to wrongly detects content_type based on the path before move (@mshibuya a42e1b4c, #2495)
• Fix returning invalid content type on text files (@inkstak #2474, #2424)
• Skip content type and extension filters where possible (@alexpooley #2464)
• Fix file's #url being called twice, which might be costly for non-local files (@skyeagle #2519)
• Fix mime type detection failing with types which contain + symbol, such as image/svg+xml (@sylvainbx #2489)
• Fix #cached? to return boolean instead of @cache_id value (@kmiyake #2510)
• Fix mime type detection for MS Office files (@anthonypenner #2447)

Security

• Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya 387116f5, GHSA-cf3w-g86h-35x4)
• Fix SSRF vulnerability in the remote file download feature (@mshibuya 012702eb, GHSA-fwcm-636p-68r5)

2.1.1 - 2021-02-08

Security

• Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya 15bcf8d8, GHSA-cf3w-g86h-35x4)
• Fix SSRF vulnerability in the remote file download feature (@mshibuya e0f79e36, GHSA-fwcm-636p-68r5)

2.1.0 - 2020-02-16

Added

• Support authenticated_url for Blackblaze provider(@kevivmatrix #2444)

Fixed

• Fix Ruby 2.7 deprecations(@mshibuya 9a37fc9e)
• Fix S3 path-style URL for host with dots for buckets that are placed in other regions than us-east-1(@Bonias #2439)
• Make MiniMagick::Image constant absolute to prevent misleading 'uninitialized constant' error(@p8 #2437)

2.0.2 - 2019-09-28

Fixed

• Fix download causing nil error if the file has empty filename(@fukayatsu #2419, #2411)

2.0.1 - 2019-08-31

Fixed

• Fix #{column}_cache unintentionally removing files on assigning empty string(@mshibuya 22e8005e, #2412)

2.0.0 - 2019-08-18

No changes.

2.0.0.rc - 2019-06-23

Added

• Append, reorder, and remove-single-file feature for multiple file uploader(@mshibuya #2401)
• Allow retrieval of uploader index within uploaders(@mshibuya #1771)
• Add ability to customize downloaders(@mshibuya #1636)
• Support internationalized domain names for downloader(@mshibuya #2086)
• Support authenticated_url for Aliyun provider(@Nitrino #2381)
• Support passing options to authenticated_url for OpenStack provider(@stanhu #2377)
• Support authenticated_url for AzureRM provider(@Nitrino #2375)
• Allow custom expires_at when building an authenticated_url(@stephankaag #2397)

Changed

• Use the storage given by storage configuration also for cache_storage unless explicitly specified(@mshibuya 629afecb)
• Improve Fog initialization(@mshibuya #2395)
• [BREAKING CHANGE] Multiple file uploader now keeps successful files on update, only discarding failed ones(@mshibuya 7db9195d)
• [BREAKING CHANGE] #remote_#{column}_urls= was changed to preserve precedent updates(@mshibuya 8f18a95b)
• #serializable_hash now returns string for version keys(@schovi #2246)
• Use the MimeMagic gem to inspect file headers for the mime type. This allows for mitigation of CVE-2016-3714, in combination with a content_type_whitelist(@locriani #1934)
• Replace mime-types dependency with mini_mime to save memory(@bradleypriest #2292)
• Delegate MiniMagick processing to ImageProcessing gem(@janko #2298)
• Handle ActiveRecord transaction correctly, not storing or removing files on rollback(@skosh #2209)

Deprecated

• fog_provider configuration was deprecated and has no effect, just adding fog providers to Gemfile will load them(@mshibuya ca201ee2)
• CarrierWave::Uploader::Base#sanitized_file was deprecated, use #file instead(@mshibuya 28190e99)

Removed

• Remove support for Rails 4.x and Ruby 2.0/2.1 (@mshibuya bada043f)

Fixed

• Fix deleting files twice when marked for removal(@mshibuya 67800fde)
• Fix uploader.cache! loads entire contents of file into memory(@mshibuya #2136)
• Do not trigger *_will_change! when file is not to be removed(@mshibuya #2323)
• Allow deleting all files for multiple file upload(@mshibuya #1990)
• Failing to retrieve unquoted filenames from Content-Disposition(@mshibuya #2364)
• Fix #clean_cache! breaking with old format of cache id(@mshibuya aab402fb)
• Fix #exists? returning true after Fog file deletion(@mshibuya #2387)
• Make #identifier available for a retrieved file(@mshibuya #1581)
• Make cache id generation less predictable(@mshibuya #2326)
• Uploaders not being cleared when #reload or #initialize_dup are overridden in model(@mshibuya #2379)
• Fix #content_type returning false, instead of nil(@longkt90 #2384)
• Preserve connection cache when eagar-loading fog(@dmitryshagin #2383)
• #recreate_versions! ignored :from_version when versions to recreate are given(@hedgesky #1879 #1164)