Run bundler-audit on PRs #23514
Run bundler-audit on PRs #23514
Conversation
|
The wiki around the mitigation points to this spec test to confirm the mitigation, but I wasn't sure about adding it omniauth/omniauth#809 (comment) |
nschonni
force-pushed
the
bundler-audit
branch
2 times, most recently
from
9de5107
to
38e0cbc
Compare
|
This pull request has merge conflicts that must be resolved before it can be merged. |
nschonni
force-pushed
the
bundler-audit
branch
from
38e0cbc
to
5dbfcb5
Compare
|
Now that Superlinter is replaced, I just added this as a step with the other Ruby linting job |
|
Question, with dependabot and whatnot running on this repository, do we really need bundler-audit? |
|
I think it can serve a slightly different purpose. The one that is suppressed would have had a Dependabot PR opened, but then likely closed for some breaking changes in the major version update. I think you did a workaround according to the described CVE and workaround from the upstream project, so it can then be ignored will the major bump of that dependency can be done later. |
Doesn't look like the CodeClimate is really used anymore, so migrating one of the last 2 hooks.
Will push a second commit with the config to fix the failure that should be shown in the first one