New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run bundler-audit on PRs #23514
Run bundler-audit on PRs #23514
Conversation
The wiki around the mitigation points to this spec test to confirm the mitigation, but I wasn't sure about adding it omniauth/omniauth#809 (comment) |
9de5107
to
38e0cbc
Compare
This pull request has merge conflicts that must be resolved before it can be merged. |
38e0cbc
to
5dbfcb5
Compare
Now that Superlinter is replaced, I just added this as a step with the other Ruby linting job |
Question, with dependabot and whatnot running on this repository, do we really need bundler-audit? |
I think it can serve a slightly different purpose. The one that is suppressed would have had a Dependabot PR opened, but then likely closed for some breaking changes in the major version update. I think you did a workaround according to the described CVE and workaround from the upstream project, so it can then be ignored will the major bump of that dependency can be done later. |
Doesn't look like the CodeClimate is really used anymore, so migrating one of the last 2 hooks.
Will push a second commit with the config to fix the failure that should be shown in the first one