Closed rgenchev closed 4 years ago
Thank you for raising a issue. We will try and get back to you as soon as possible.
Please make sure you have given us as much context as possible.
Best,
@terrastories-stewards
@Rgenchev can you share some notes on what the gem is meant to do? Thanks
@kalimar, sure :)
A bundle audit check --update
command could be added to the CI and when building the application it will check for vulnerable gem versions in the Gemfile.lock
file.
Let's say that there is a vulnerability in a specific gem but we don't know that. The build will fail and will suggest updating the corresponding gem to a specific safe version where the vulnerability is fixed.
Here is a detailed description: https://github.com/rubysec/bundler-audit#features And some examples: https://github.com/rubysec/bundler-audit#synopsis
I created https://github.com/Terrastories/terrastories/pull/363 that should close this issue.
I used bundler-audit
and found vulnerabilities in 2 gems (loofah
and rubyzip
). In the PR I updated them.
I think that it's a good idea to install
bundler-audit
gem (https://github.com/rubysec/bundler-audit).@MxOliver ?