Skip to content

Update to jline 3.x to resolve CVE#7

Open
mnpoonia wants to merge 3 commits intojruby:masterfrom
mnpoonia:fix_update_jline
Open

Update to jline 3.x to resolve CVE#7
mnpoonia wants to merge 3 commits intojruby:masterfrom
mnpoonia:fix_update_jline

Conversation

@mnpoonia
Copy link
Copy Markdown

@mnpoonia mnpoonia commented Oct 1, 2025

No description provided.

mnpoonia and others added 3 commits October 1, 2025 15:42
@mnpoonia
Update to jline 3.x to resolve CVE
fb471ba
@mnpoonia
[fix] improve backward compatibility of JLine 3 migration
48e4254 
- Type ConsoleHolder.history as DefaultHistory to enable set/remove/get
  by index, fixing pop, shift, set, and delete_at history operations
- Re-add ESC key -> BEEP binding (JRUBY-852: prevents IRB quit on ESC)
- Disable DefaultHistory file persistence to match JLine 2 MemoryHistory
- Warn on completion_append_character= since JLine 3 does not support it
- Remove unused imports (Iterator, ListIterator, AttributedString)
- Fix missing newline at end of Java files
@mnpoonia
[test] add test suite for JLine 3 migration
1637769 
Add test/test_readline.rb (smoke test: gem loads and basic method works)
and test/test_history.rb (full Minitest suite covering HISTORY push/pop/
shift/set/delete_at/each/clear and completion_proc, tested against JRuby
with Java 21 + JLine 3.21).

The upstream repo had no tests; this is the first test infrastructure.
Also fix history mutation methods (pop, shift, set, delete_at) to work
around DefaultHistory lacking remove(int)/set(int,String) in JLine 3 by
rebuilding the list via purge()+re-add. Fix ESC key binding to use Widget
interface instead of Binding (which is not functional in JLine 3).
@mnpoonia
Copy link
Copy Markdown
Author

mnpoonia commented May 4, 2026

@headius — yes, we have tested this with JRuby.

Test environment: JRuby 10.1.0.0 (Ruby 4.0.0, Java 21, JLine 3.21.0, arm64-darwin)

Since this repo had no existing test infrastructure, we added the first test suite as part of this PR (test/test_history.rb) — 22 tests, 36 assertions, all passing. It covers the Readline::HISTORY API (push, pop, shift, set, delete_at, each, clear, size, empty?) and completion_proc, which is the surface area exercised by HBase shell via IRB.

A few notes on the migration:

  • JLine 3's DefaultHistory does not expose remove(int) or set(int, String), so history mutation methods (pop, shift, delete_at, []=) are implemented via purge + rebuild — functional but not optimal. This is worth noting if the library stays in use.
  • We re-added the ESC key → beep binding from JRUBY-852 using JLine 3's Widget interface.
  • completion_append_character= is not supported by JLine 3 and now warns instead of silently no-oping.

We understand the project is moving toward reline. This PR is motivated by a CVE in jline 2.x (jline:jline) that affects HBase deployments today. Even as a transitional fix until jruby-readline is fully retired, we believe it's worth landing. Happy to address any concerns.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mnpoonia