Open Niedzwiedz opened 1 year ago
Hello,
Rack-cors gem comes packaged with test_files that includes mocha.js which is interpreted by our scans as version 1.11.0
test_files
Our product security analysis is "flashing red" and flagging those: https://www.huntr.dev/bounties/1d8a3d95-d199-4129-a6ad-8eafe5e77b9e/ https://github.com/mochajs/mocha/pull/4770
I was following this issue discussion on rubygems: https://github.com/rubygems/rubygems/issues/735 which isn't really conclusive but many gem repos removed test_files and I wonder what's your opinion on keeping/removing test_files part of gemspec?
Thanks, Michal
If your product is flagging a javascript file in test suite as "flashing red" then how would it flag the actual vulnerabilities?
Hello,
Rack-cors gem comes packaged with
test_files
that includes mocha.js which is interpreted by our scans as version 1.11.0Our product security analysis is "flashing red" and flagging those: https://www.huntr.dev/bounties/1d8a3d95-d199-4129-a6ad-8eafe5e77b9e/ https://github.com/mochajs/mocha/pull/4770
I was following this issue discussion on rubygems: https://github.com/rubygems/rubygems/issues/735 which isn't really conclusive but many gem repos removed
test_files
and I wonder what's your opinion on keeping/removingtest_files
part of gemspec?Thanks, Michal