packwerk CVE issue

[bschrag]

We noticed that packwerk is being flagged as having a CVE. My initial steps to resolve this was to move pack-rails and packs to the development block, but that of course didn't work because we lost the autoloading capability provided by packs-rails. Do you have any suggestions for how to maintain packs-rails within the app without pulling in these CVEs from packwerk? Our short term solution unfortunately was to stub in some customized autoloading and remove packs-rails as a depedency. It seems like there is maybe an ideal solution where packs-rails no longer has packs as dependency, so that packs can become a dev only gem and packs-rails can live in production without the other dependencies.

[schoblaska]

I don't think there's an easy way to use packs-rails without packs. Could you open an issue in the packwerk repo for the CVE? Or link more details here about which CVE it is and where it's flagged in the code?

[bschrag]

@schoblaska Sorry for the delay, things got busy and I forgot to follow up here.

Yes, I can open something up over at packwerk instead since decoupling doesn't seem like a viable option here. For clarity, the issue being flagged is the following:

Name: rails-html-sanitizer
Installed version / Fixed version: 0:1.4.3 / 1.4.4.0
Package manager: BUNDLER
File paths: app/.bundle/ruby/3.1.0/gems/packwerk-3.2.0/Gemfile.lock

[github-actions[bot]]

This issue has been marked stale because it has been open for six months with no activity. To prevent this issue from automatically being closed in one week, update it or remove the stale label.