Closed syedfaizanalef closed 1 year ago
The Gemfile.lock for a dependency has nothing to do with the gems used by the main codebase. It is a false positive. The only gems that are installed are the ones in the /pact/Gemfile.lock.
Please re-raise if there in an issue with dependencies in ./packaging/Gemfiles.lock
thanks
Would it be possible to exclude the unused Gemfiles from the deliverables to avoid false positives?
If you're open to raising a PR to do so that could be an option.
You can submit a PR with a bulk delete of Gemfile.lock files in this method https://github.com/pact-foundation/pact-ruby-standalone/blob/master/tasks/package.rake#L146
Thank you for the additional information and your help. I hope this should do the trick: https://github.com/pact-foundation/pact-ruby-standalone/pull/123
@mefellows Should I create a PR to reference the new standalone version aswell? https://github.com/pact-foundation/pact-js-core/blob/master/standalone/install.ts Or is there any automated job for this?
Thanks! Once this is released, there is a script to create a PR for this that a maintainer can run (it may be automated, I don't recall actually).
Oh yes, thats true. Sorry. This would be it: https://github.com/pact-foundation/pact-js-core/pull/new/chore/upgrade-to-pact-ruby-standalone-2-1-0
I've updated the triggered repo workflows, as they were failing, so it has now picked up this update. I'll get it merged as part of a release in pact-js-core / pact-js today 👍🏾
Hi,
nexus is reporting 9.8 CVSS score for
git 1.2.5
andjson 1.7.3
used herepact/lib/vendor/ruby/2.4.0/gems/find_a_port-1.0.1/Gemfile.lock
.Any plans for updating/replacing this dependency?