vulnerability issues

[syedfaizanalef]

Hi,

nexus is reporting 9.8 CVSS score for git 1.2.5 and json 1.7.3 used here pact/lib/vendor/ruby/2.4.0/gems/find_a_port-1.0.1/Gemfile.lock.

Any plans for updating/replacing this dependency?

[bethesque]

The Gemfile.lock for a dependency has nothing to do with the gems used by the main codebase. It is a false positive. The only gems that are installed are the ones in the /pact/Gemfile.lock.

[YOU54F]

Please re-raise if there in an issue with dependencies in ./packaging/Gemfiles.lock

thanks

[benthieu]

Would it be possible to exclude the unused Gemfiles from the deliverables to avoid false positives?

[mefellows]

If you're open to raising a PR to do so that could be an option.

[bethesque]

You can submit a PR with a bulk delete of Gemfile.lock files in this method https://github.com/pact-foundation/pact-ruby-standalone/blob/master/tasks/package.rake#L146

[benthieu]

Thank you for the additional information and your help. I hope this should do the trick: https://github.com/pact-foundation/pact-ruby-standalone/pull/123

[benthieu]

@mefellows Should I create a PR to reference the new standalone version aswell? https://github.com/pact-foundation/pact-js-core/blob/master/standalone/install.ts Or is there any automated job for this?

[mefellows]

Thanks! Once this is released, there is a script to create a PR for this that a maintainer can run (it may be automated, I don't recall actually).

[benthieu]

Oh yes, thats true. Sorry. This would be it: https://github.com/pact-foundation/pact-js-core/pull/new/chore/upgrade-to-pact-ruby-standalone-2-1-0

[YOU54F]

I've updated the triggered repo workflows, as they were failing, so it has now picked up this update. I'll get it merged as part of a release in pact-js-core / pact-js today 👍🏾