jr-paperclip 8.0.5 → 8.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b63c264ed4ec7e8a00ebe22cb4eac94ea8f6b5530a4913264e164ad29dd685ab
-  data.tar.gz: fc375ca5e00cd92a7adaa411c4af7cfa37d2c2ac38e15ef86d86abe9352308ef
+  metadata.gz: 2020e672706019bc2f09c85e93f350cb076e1734e3b86d6083d57f41d6f0a62e
+  data.tar.gz: c18c81c981656da9ee280b5394123e5bb965ce2ca50b9cacf0e6fbacc7dddeaf
 SHA512:
-  metadata.gz: f4edd845fcf7c7c9a77ca816c2472a95004d5808d629e0f35c246558225f60b8354b0f888ab4c37f60e0c8a994fe471d7cc8aa78ae2eb3977421264b47c365ee
-  data.tar.gz: 23794daef4c3ad192ad97c89e98d681873ff77dc1a48613f7c7b09109e5863fab3e19d0f0b21f63c1040f2eb32c1e94dd096b9621af297d9e0ffb1ccdbf4643f
+  metadata.gz: 20acbf5988e931bbf2825b4d9515dce71bbf9f854ae307b235ec280b9e71d023cd17bd63a3c9cc7dd217f8311c3d882a7311ed42d275c5d5f65da2d73dff9a9c
+  data.tar.gz: 31e48aaa2f00722b445bcc1fc7af6bc1f1440cbc6ee6632442c5c9e234fb15fb8e485bf8e41af84ced410949a129231f6c18e154f387f7401d5a6819548631eb

data/NEWS

@@ -1,3 +1,10 @@
+8.0.6 (2026-05-22)
+
+* Chore: Update image_processing runtime dependency to ~> 2.0
+* Chore: Add explicit mini_magick and ruby-vips runtime dependencies now that image_processing treats them as soft dependencies
+* Security: Pick up image_processing 2.0.1 loader/saver option hardening
+* Behavior: Vips backend now follows image_processing 2.x defaults, including blocked unfuzzed loaders and no post-resize sharpening by default
+
 8.0.5 (2026-05-21)
 
 * Improvement: Avoid anonymous evals

data/README.md

@@ -103,6 +103,7 @@ Paperclip now requires Ruby version **>= 3.0** and Rails version **>= 7.0**
 ### Image Processor
 
 Paperclip supports two main image processing backends: **ImageMagick** (default) and **libvips** (recommended for performance).
+`jr-paperclip` depends on the `image_processing`, `mini_magick`, and `ruby-vips` gems directly, so applications normally only need to install the system image library for the backend they use.
 
 #### ImageMagick
 
@@ -163,6 +164,8 @@ You can also specify the backend per-attachment (see [Image Processing Backends]
 
 **Note on Geometry Detection:** When `vips` is the active backend, Paperclip uses the ruby-vips gem to determine image dimensions instead of ImageMagick's `identify` command.
 
+**Note on Untrusted Loaders:** `image_processing` 2.x asks libvips to block operations and loaders marked as untrusted by default. The affected formats depend on the libvips version and enabled loader libraries in your build. If formats such as PDF, SVG, JPEG-XL, RAW, OpenSlide, NIFTI, FITS, MATLAB, or Analyze6 are rejected, use the ImageMagick backend for those inputs, or set `VIPS_BLOCK_UNTRUSTED=0` before loading `image_processing/vips` only for trusted inputs.
+
 ### `file`
 
 The Unix [`file` command](https://en.wikipedia.org/wiki/File_(command)) is required for content-type checking.
@@ -801,6 +804,7 @@ For a full list of variables and description, see [ImageMagick's resources docum
 ### libvips (Recommended for Performance)
 
 libvips is significantly faster and uses less memory than ImageMagick. Paperclip uses the `image_processing` gem (via `ruby-vips`) to interface with libvips.
+With `image_processing` 2.x, libvips blocks operations and loaders marked as untrusted by default; the exact affected formats vary by libvips build and version.
 
 **Usage:**
 

data/VIPS_MIGRATION_GUIDE.md

@@ -21,7 +21,7 @@ sudo apt install libvips-tools
 
 ## Step 1: Update your Gemfile
 
-`jr-paperclip` already includes the `image_processing` gem, which automatically provides the `ruby-vips` and `mini_magick` bindings. You do **not** need to add these gems explicitly to your `Gemfile`.
+`jr-paperclip` depends on the `image_processing`, `ruby-vips`, and `mini_magick` gems directly. You do **not** need to add these gems explicitly to your `Gemfile` unless your application wants to override their version constraints.
 
 Ensure you are using the latest version of the gem:
 
@@ -134,6 +134,6 @@ has_attached_file :document,
 
 ## Important Considerations
 
-1.  **Output Parity**: While libvips aims for high quality, its resizing algorithms (Lanczos) may produce slightly different visual results than ImageMagick.
-2.  **PDF/SVG Support**: libvips requires additional libraries (like `poppler` or `librsvg`) to process these formats. If you process complex vector formats, ensure the appropriate libraries are installed on your system.
+1.  **Output Parity**: While libvips aims for high quality, its resizing algorithms (Lanczos) may produce slightly different visual results than ImageMagick. `image_processing` 2.x also no longer applies post-resize sharpening by default.
+2.  **PDF/SVG Support**: libvips requires additional libraries (like `poppler` or `librsvg`) to process these formats. With `image_processing` 2.x, operations and loaders marked as untrusted may be blocked by default, and the exact affected formats vary by libvips build and version. Use ImageMagick for blocked formats or set `VIPS_BLOCK_UNTRUSTED=0` only for trusted inputs.
 3.  **Exotic Formats**: If you rely on very specific ImageMagick features (like specialized filters or complex layer manipulation), test those attachments thoroughly before switching.

data/lib/paperclip/geometry_detector_factory.rb

@@ -47,11 +47,7 @@ module Paperclip
     end
 
     def vips_geometry_string
-      begin
-        require "vips"
-      rescue LoadError => e
-        raise Errors::CommandNotFoundError.new("Could not load ruby-vips. Please install libvips.")
-      end
+      Paperclip.require_vips
 
       begin
         # Use ruby-vips gem directly instead of shelling out to vipsheader

data/lib/paperclip/processor.rb

@@ -79,11 +79,7 @@ module Paperclip
     # @param options [Hash] Options to pass to Vips::Image.new_from_file
     # @return [Vips::Image] The loaded image
     def vips_image(file_path, **options)
-      begin
-        require "vips"
-      rescue LoadError
-        raise Errors::CommandNotFoundError.new("Could not load ruby-vips. Please install libvips.")
-      end
+      Paperclip.require_vips
       Vips::Image.new_from_file(file_path, **options)
     end
   end

data/lib/paperclip/thumbnail.rb

@@ -148,6 +148,11 @@ module Paperclip
         elsif defined?(::MiniMagick::Error) && (e.is_a?(::MiniMagick::Error) || e.is_a?(::MiniMagick::Invalid))
           handle_error(e, "ImageMagick")
         elsif defined?(::ImageProcessing::Error) && e.is_a?(::ImageProcessing::Error)
+          if backend_dependency_error?(e)
+            raise Paperclip::Errors::CommandNotFoundError.new(
+              "Could not run the command for #{backend}. Please install dependencies.",
+            )
+          end
           handle_error(e, "ImageProcessing")
         else
           raise e
@@ -666,5 +671,9 @@ module Paperclip
         @file
       end
     end
+
+    def backend_dependency_error?(error)
+      error.message.match?(/ImageProcessing::(?:MiniMagick|Vips) requires/)
+    end
   end
 end

data/lib/paperclip/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Paperclip
-  VERSION = "8.0.5"
+  VERSION = "8.0.6"
 end

data/lib/paperclip.rb

@@ -90,6 +90,23 @@ module Paperclip
     backend
   end
 
+  def self.require_vips
+    return if @vips_loaded
+
+    require "vips"
+    block_untrusted_vips_loaders
+    @vips_loaded = true
+  rescue LoadError
+    raise Errors::CommandNotFoundError.new("Could not load ruby-vips. Please install libvips.")
+  end
+
+  def self.block_untrusted_vips_loaders
+    return if ENV["VIPS_BLOCK_UNTRUSTED"]
+    return unless defined?(::Vips) && ::Vips.respond_to?(:block_untrusted)
+
+    ::Vips.block_untrusted(true)
+  end
+
   # Provides configurability to Paperclip. The options available are:
   # * whiny: Will raise an error if Paperclip cannot process thumbnails of
   #   an uploaded image. Defaults to true.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jr-paperclip
 version: !ruby/object:Gem::Version
-  version: 8.0.5
+  version: 8.0.6
 platform: ruby
 authors:
 - Jukka Rautanen
@@ -43,14 +43,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.14'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: marcel
   requirement: !ruby/object:Gem::Requirement
@@ -79,6 +79,46 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: mini_magick
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.9.5
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.9.5
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6'
+- !ruby/object:Gem::Dependency
+  name: ruby-vips
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.17
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.17
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
   name: terrapin
   requirement: !ruby/object:Gem::Requirement