You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@woodruffw’s “We should all be using dependency cooldowns” makes a good case that supporting a cooldown (a window of time between when a dependency is published and when it’s considered suitable for use) when updating dependencies is an effective way to mitigate common supply chain attacks.
Could Bundler support this directly itself when calling the likes of bundle update and bundle outdated?
At the moment, it seems Dependabot separately queries the RubyGems (and private registries’) API to determine the release date for each gem version so I assume this isn’t already readily available via a CLI command.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
@woodruffw’s “We should all be using dependency cooldowns” makes a good case that supporting a cooldown (a window of time between when a dependency is published and when it’s considered suitable for use) when updating dependencies is an effective way to mitigate common supply chain attacks.
npm-check-update supports this natively via its
cooldownoption, pnpm via itsminimumReleaseAge, and Dependabot viacooldown.Could Bundler support this directly itself when calling the likes of
bundle updateandbundle outdated?At the moment, it seems Dependabot separately queries the RubyGems (and private registries’) API to determine the release date for each gem version so I assume this isn’t already readily available via a CLI command.
Beta Was this translation helpful? Give feedback.
All reactions