Project

General

Profile

Feature #15942

gem: Warn on known vulnerable packages

Added by mcandre (Andrew Pennebaker) over 1 year ago. Updated over 1 year ago.

Status:
Third Party's Issue
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-core:93257]

Description

In comparison to RubyGems, NPM offers builtin warnings when users attempt to install packages with known vulnerabilities. This helps developers to more quickly react to security concerns, updating or replacing their dependencies.

CI automation systems such as in GitHub, now implement alerts for vulnerabilities in Ruby projects. Now that we know this is technically possible, let's move the warnings directly into gem, so that regardless of where code is pushed, and before code is pushed, devs get a clear warning when they reference vulnerable RubyGems packages.

Updated by shevegen (Robert A. Heiler) over 1 year ago

I think this may be better to raise at https://github.com/rubygems/rubygems - while some
ruby core members contribute to the code of gems, it still seems to fit better to the
github site of rubygems.

To the feature/functionality in itself - I am not sure if gem as-is provides sufficient
information for this to support it. Is there any project tracking other projects with
vulnerabilities? Nothing wrong with having, as an OPTION (thus, can be toggled), the
ability to set this feature; I am not sure if this is easily available right now for
gems. Either way, I think it should be at the gem issue tracker instead.

(Reason I write that it should be optional is primarily because not everyone may want
to have the behaviour changed; so with an option that can be toggled, ruby developers
can decide on their own here.)

Updated by duerst (Martin Dürst) over 1 year ago

  • Status changed from Open to Third Party's Issue

Also available in: Atom PDF