Closed bschrag closed 5 days ago
I don't think there's an easy way to use packs-rails
without packs
. Could you open an issue in the packwerk repo for the CVE? Or link more details here about which CVE it is and where it's flagged in the code?
@schoblaska Sorry for the delay, things got busy and I forgot to follow up here.
Yes, I can open something up over at packwerk instead since decoupling doesn't seem like a viable option here. For clarity, the issue being flagged is the following:
Name: rails-html-sanitizer
Installed version / Fixed version: 0:1.4.3 / 1.4.4.0
Package manager: BUNDLER
File paths: app/.bundle/ruby/3.1.0/gems/packwerk-3.2.0/Gemfile.lock
This issue has been marked stale because it has been open for six months with no activity. To prevent this issue from automatically being closed in one week, update it or remove the stale label.
We noticed that
packwerk
is being flagged as having a CVE. My initial steps to resolve this was to movepack-rails
andpacks
to the development block, but that of course didn't work because we lost the autoloading capability provided bypacks-rails
. Do you have any suggestions for how to maintainpacks-rails
within the app without pulling in these CVEs frompackwerk
? Our short term solution unfortunately was to stub in some customized autoloading and removepacks-rails
as a depedency. It seems like there is maybe an ideal solution wherepacks-rails
no longer haspacks
as dependency, so thatpacks
can become a dev only gem and packs-rails can live in production without the other dependencies.