Closed dhempy closed 8 months ago
Hi @dhempy,
PR accepted and merged. gem version bumped to rubygems.
As you mention in the PR comment, the major version bump in simplecov-rcov could be arguably changed by a minor version bump.. I am satisfied just seeing you also have doubts. It is Sunday and it is not worth it the energy waste in the discussion :)
Thanks for keeping the gem alive and safe!
As I learn more about gem dependencies, I realize I didn't solve this is the best way. According to https://yehudakatz.com/2010/12/16/clarifying-the-roles-of-the-gemspec-and-gemfile/ , gems (unlike applications) should not include Gemfile.lock
at all. I'll submit a fresh PR to follow that path. This will not only resolve this vulnerability today, but will make simplecov-rcov far more resilient into the future without frequent updates.
I added two PR's, which must be merged separately, and in this order:
https://github.com/fguillen/simplecov-rcov/pull/30
They remove Gemfile.lock, then add it to .gitignore @fguillen
@dhempy Actually that post is no longer valid, and best practice has been significantly improved since then. It is now standard, and best, practice to commit Gemfile.lock
in every project that has one, with no exceptions. This post really should be updated, but Yehuda has moved on to other things.
Here is the discussion of the current best practice. Rails now includes Gemfile.lock!
I close it due to the changes in the community best practices
You did merge those PRs removing the Gemfile.lock though, so the Gemfile.lock is not in the project. It isn't a big deal, just want to make sure it is clear what happened.
Thanks @pboling I add it again, I hope I am not breaking anything now
simplecov-rcov depends on
rake
.Rake < 12.3.3 has critical vulnerability that some code inspectors (AWS Inspector) flag as "critical" and blocks deployment.
This PR https://github.com/fguillen/simplecov-rcov/pull/27 fixes the vulnerability by bumping the version of rake.
Please review and approve that PR to allow more people to continue using your awesome gem, @fguillen :)