Skip to content

Fix vulnerabilities as of 2025-04-08#352

Merged
tung2744 merged 7 commits intoauthgear:masterfrom
louischan-oursky:fix-vuln-2025-04-08
Apr 9, 2025
Merged

Fix vulnerabilities as of 2025-04-08#352
tung2744 merged 7 commits intoauthgear:masterfrom
louischan-oursky:fix-vuln-2025-04-08

Conversation

@louischan-oursky
Copy link
Copy Markdown
Contributor

@louischan-oursky louischan-oursky commented Apr 8, 2025

No description provided.

@louischan-oursky louischan-oursky mentioned this pull request Apr 8, 2025
Closed
@tung2744
Copy link
Copy Markdown
Collaborator

tung2744 commented Apr 8, 2025

  1. CI is failing because we cannot sign apps in prs. Maybe we should skip those jobs in pr?
  2. Is it really necessary to audit dependencies in ruby, which actually does not affect the sdk?

@louischan-oursky
Copy link
Copy Markdown
Contributor Author

louischan-oursky commented Apr 8, 2025

  1. Let me skip them when it is a PR job
  2. Yes, the vuln does not actually affect the SDK at runtime, but we cannot skip them. cc @rickmak

tung2744
tung2744 reviewed Apr 8, 2025
View reviewed changes
Comment thread .github/workflows/ci.yaml
- uses: ruby/setup-ruby@v1
with:
bundler-cache: true
- run: make ruby-audit
Copy link
Copy Markdown
Collaborator

@tung2744 tung2744 Apr 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So are we going to remove this step?

Copy link
Copy Markdown
Contributor Author

@louischan-oursky louischan-oursky Apr 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. Fixing vulnerabilities in gems are still needed.

Copy link
Copy Markdown
Collaborator

@tung2744 tung2744 Apr 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but I believe it should not block ci because it is development dependencies?
Anyway let me merge this first.

Copy link
Copy Markdown
Member

@rickmak rickmak Apr 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will be very difficult to separate the development dependencies that might generate code that to be used in production. for example program used in go generate might have CVE that generate faulty code. So from compliance perspective, we will cover the dev dependencies.

The same logic follow, developer machine is in the compliance coverage too.

@tung2744 tung2744 merged commit ef216b3 into authgear:master Apr 9, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rickmak rickmak rickmak approved these changes

@tung2744 tung2744 tung2744 left review comments

Assignees

@tung2744 tung2744

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@louischan-oursky @tung2744 @rickmak