Feature #15942
closed
gem: Warn on known vulnerable packages
Description
In comparison to RubyGems, NPM offers builtin warnings when users attempt to install packages with known vulnerabilities. This helps developers to more quickly react to security concerns, updating or replacing their dependencies.
CI automation systems such as in GitHub, now implement alerts for vulnerabilities in Ruby projects. Now that we know this is technically possible, let's move the warnings directly into gem, so that regardless of where code is pushed, and before code is pushed, devs get a clear warning when they reference vulnerable RubyGems packages.
Updated by shevegen (Robert A. Heiler) almost 5 years ago
I think this may be better to raise at https://github.com/rubygems/rubygems - while some
ruby core members contribute to the code of gems, it still seems to fit better to the
github site of rubygems.
To the feature/functionality in itself - I am not sure if gem as-is provides sufficient
information for this to support it. Is there any project tracking other projects with
vulnerabilities? Nothing wrong with having, as an OPTION (thus, can be toggled), the
ability to set this feature; I am not sure if this is easily available right now for
gems. Either way, I think it should be at the gem issue tracker instead.
(Reason I write that it should be optional is primarily because not everyone may want
to have the behaviour changed; so with an option that can be toggled, ruby developers
can decide on their own here.)
Updated by duerst (Martin Dürst) almost 5 years ago
- Status changed from Open to Third Party's Issue
What @shevegen (Robert A. Heiler) says: raise it at https://github.com/rubygems/rubygems, please.