From: shevegen@... Date: 2019-06-19T21:23:46+00:00 Subject: [ruby-core:93263] [Ruby trunk Feature#15942] gem: Warn on known vulnerable packages Issue #15942 has been updated by shevegen (Robert A. Heiler). I think this may be better to raise at https://github.com/rubygems/rubygems - while some ruby core members contribute to the code of gems, it still seems to fit better to the github site of rubygems. To the feature/functionality in itself - I am not sure if gem as-is provides sufficient information for this to support it. Is there any project tracking other projects with vulnerabilities? Nothing wrong with having, as an OPTION (thus, can be toggled), the ability to set this feature; I am not sure if this is easily available right now for gems. Either way, I think it should be at the gem issue tracker instead. (Reason I write that it should be optional is primarily because not everyone may want to have the behaviour changed; so with an option that can be toggled, ruby developers can decide on their own here.) ---------------------------------------- Feature #15942: gem: Warn on known vulnerable packages https://bugs.ruby-lang.org/issues/15942#change-78723 * Author: mcandre (Andrew Pennebaker) * Status: Open * Priority: Normal * Assignee: * Target version: ---------------------------------------- In comparison to RubyGems, NPM offers builtin warnings when users attempt to install packages with known vulnerabilities. This helps developers to more quickly react to security concerns, updating or replacing their dependencies. CI automation systems such as in GitHub, now implement alerts for vulnerabilities in Ruby projects. Now that we know this is technically possible, let's move the warnings directly into gem, so that regardless of where code is pushed, and before code is pushed, devs get a clear warning when they reference vulnerable RubyGems packages. -- https://bugs.ruby-lang.org/ Unsubscribe: