Closed rgenchev closed 4 years ago
auto-comment[bot]
commented
4 years ago 
Thank you for raising a issue. We will try and get back to you as soon as possible.
Please make sure you have given us as much context as possible.
Best,
@terrastories-stewards
kalimar
commented
4 years ago @Rgenchev can you share some notes on what the gem is meant to do? Thanks
rgenchev
commented
4 years ago @kalimar, sure :)
A bundle audit check --update command could be added to the CI and when building the application it will check for vulnerable gem versions in the Gemfile.lock file.
Let's say that there is a vulnerability in a specific gem but we don't know that. The build will fail and will suggest updating the corresponding gem to a specific safe version where the vulnerability is fixed.
Here is a detailed description: https://github.com/rubysec/bundler-audit#features And some examples: https://github.com/rubysec/bundler-audit#synopsis
rgenchev
commented
4 years ago I created https://github.com/Terrastories/terrastories/pull/363 that should close this issue.
I used bundler-audit and found vulnerabilities in 2 gems (loofah and rubyzip). In the PR I updated them.
I think that it's a good idea to install
bundler-auditgem (https://github.com/rubysec/bundler-audit).@MxOliver ?