Support matching rubygems version to tag in GitHub or warn #211
Comments
|
Related: rubygems/rubygems.org#1943 |
sonalkr132
pushed a commit
to sonalkr132/bundler-audit
that referenced
this issue
Dec 19, 2021
445: Bump middleman from 4.3.2 to 4.3.3 r=segiddins a=dependabot[bot] Bumps [middleman](https://github.com/middleman/middleman) from 4.3.2 to 4.3.3. <details> <summary>Changelog</summary> *Sourced from [middleman's changelog](https://github.com/middleman/middleman/blob/v4.3.3/CHANGELOG.md).* > # 4.3.3 > > - Add `--bail` to fail a build upon the first error and show the error messages. ([#2246](https://github-redirect.dependabot.com/middleman/middleman/issues/2246)) </details> <details> <summary>Commits</summary> - [`f67ae38`](middleman/middleman@f67ae38) Bump again - [`d53e3c6`](middleman/middleman@d53e3c6) Bump - [`95c234f`](middleman/middleman@95c234f) Add --bail option to fail upon first error ([#2246](https://github-redirect.dependabot.com/middleman/middleman/issues/2246)) - [`fc01a6c`](middleman/middleman@fc01a6c) Fix lambda syntax - [`dae9203`](middleman/middleman@dae9203) Feature: Add an option to create asset hashes without using the original file... - See full diff in [compare view](middleman/middleman@v4.3.2...v4.3.3) </details> <br /> [](https://dependabot.com/compatibility-score.html?dependency-name=middleman&package-manager=bundler&previous-version=4.3.2&new-version=4.3.3) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot. </details> 446: Bump pry-byebug from 3.6.0 to 3.7.0 r=segiddins a=dependabot[bot] Bumps [pry-byebug](https://github.com/deivid-rodriguez/pry-byebug) from 3.6.0 to 3.7.0. <details> <summary>Release notes</summary> *Sourced from [pry-byebug's releases](https://github.com/deivid-rodriguez/pry-byebug/releases).* > ## 3.7.0 > * Byebug 11 compatibility, with ruby 2.6 support. </details> <details> <summary>Changelog</summary> *Sourced from [pry-byebug's changelog](https://github.com/deivid-rodriguez/pry-byebug/blob/master/CHANGELOG.md).* > ## 3.7.0 (2019-02-21) > > * Byebug 11 compatibility, with ruby 2.6 support. </details> <details> <summary>Commits</summary> - [`283357c`](deivid-rodriguez/pry-byebug@283357c) Bump rubocop from 0.64.0 to 0.65.0 ([rubysec#211](https://github-redirect.dependabot.com/deivid-rodriguez/pry-byebug/issues/211)) - [`3d53568`](deivid-rodriguez/pry-byebug@3d53568) I'm releasing this today, not yesterday ([rubysec#214](https://github-redirect.dependabot.com/deivid-rodriguez/pry-byebug/issues/214)) - [`0a85225`](deivid-rodriguez/pry-byebug@0a85225) Get ready for 3.7.0 release ([rubysec#213](https://github-redirect.dependabot.com/deivid-rodriguez/pry-byebug/issues/213)) - [`4a36357`](deivid-rodriguez/pry-byebug@4a36357) Bump chandler from 0.7.0 to 0.9.0 ([rubysec#212](https://github-redirect.dependabot.com/deivid-rodriguez/pry-byebug/issues/212)) - [`117f11b`](deivid-rodriguez/pry-byebug@117f11b) Merge pull request [rubysec#210](https://github-redirect.dependabot.com/deivid-rodriguez/pry-byebug/issues/210) from deivid-rodriguez/byebug_11 - [`b9e0999`](deivid-rodriguez/pry-byebug@b9e0999) Allow (and require) byebug 11 - [`6fdf51a`](deivid-rodriguez/pry-byebug@6fdf51a) Frozen string literals - [`7f72487`](deivid-rodriguez/pry-byebug@7f72487) Bump BUNDLED WITH to bundler 2.0.1 - [`6888e01`](deivid-rodriguez/pry-byebug@6888e01) Replace Travis CI badge with Circle CI badge ([rubysec#209](https://github-redirect.dependabot.com/deivid-rodriguez/pry-byebug/issues/209)) - [`b8056dc`](deivid-rodriguez/pry-byebug@b8056dc) Bump rubocop from 0.63.1 to 0.64.0 ([rubysec#207](https://github-redirect.dependabot.com/deivid-rodriguez/pry-byebug/issues/207)) - Additional commits viewable in [compare view](deivid-rodriguez/pry-byebug@v3.6.0...v3.7.0) </details> <br /> [](https://dependabot.com/compatibility-score.html?dependency-name=pry-byebug&package-manager=bundler&previous-version=3.6.0&new-version=3.7.0) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot. </details> Co-authored-by: dependabot[bot] <support@dependabot.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We run
bundle-auditas part of our pre-deployment checks, and love it. It's saved our bacon a few times.The malicious code inserted recently in the bootstrap-sass gem on rubygems concerns me greatly. It's something that might not have been caught by our process, had we been exposed to it. Even
bundle-auditwould have had the information too late for a lot of poor souls.Because the exploit was pushed to rubygems but not to GitHub, it seems that there is a way bundler-audit could be modified to flag such circumstances as worthy of scrutiny. For each gem/version in the Ruby app's Gemfile.lock if there is not a corresponding tag in the gem's repository, a warning could be output by
bundle-audit.GitHub and Rubygems are the main code repository host and gem repository. So those could be the defaults. But adding metadata for these datapoints would allow gems in the bundler-audit DB to record alternatives so that this protection could be extended to gems not using the de facto standard services.
A feature like this would add even more value to this invaluable gem.
Thoughts?
The text was updated successfully, but these errors were encountered: