Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): bump ransack from 3.0.1 to 4.0.0 #1886

Merged
merged 4 commits into from
Aug 8, 2023

Conversation

veelenga
Copy link
Contributor

@veelenga veelenga commented Aug 7, 2023

Description

Vulnerability report: SNYK-RUBY-RANSACK-5776488
Ransack changelog: https://github.com/activerecord-hackery/ransack/blob/main/CHANGELOG.md

We use ransack 4 in production for a while, however since ransack 3.1.0 is a transitive dependency in Avo, the vulnerability scanner continuously reports the problem with the dependency.

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works

Manual review steps

  1. Step 1
  2. Step 2

Manual reviewer: please leave a comment with output from the test if that's the case.

@codeclimate
Copy link

codeclimate bot commented Aug 7, 2023

Code Climate has analyzed commit 8e7a2a1 and detected 0 issues on this pull request.

View more on Code Climate.

@veelenga
Copy link
Contributor Author

veelenga commented Aug 7, 2023

@adrianthedev @Paul-Bob could you please coordinate how we can proceed with this? Having ransack 3.1.0 in the bundle in a blocker for our project since it is vulnerable and breaks our company policies. I can see two options:

  1. Upgrade ransack 3.1.0 -> 4.0.0 in Avo. But this may be a breaking change for the Avo end-user because of explicit whitelist.
  2. Move ransack to the development section in Avo's Gemfile so it will not be bundled in the production build as a transitive dependency.

UPD: I followed with option 1 for now

@veelenga veelenga marked this pull request as ready for review August 7, 2023 17:26
@Paul-Bob
Copy link
Contributor

Paul-Bob commented Aug 8, 2023

Thank you for the PR @veelenga!

I think the upgrade to 4.0.0 Is a good path to follow. We should document it on the avo docs upgrade guide too.

@veelenga
Copy link
Contributor Author

veelenga commented Aug 8, 2023

@Paul-Bob thanks for the feedback.

I did another look and it seems like the dependencies from Gemfile are not bundled by the app, so there is no risk in upgrading ransack to 4.0.0 since it is not a breaking change. Sorry for the confusion.

Also, docs already have a note regarding ransack 4 and ransackable_attributes so I think this is good to go.

@adrianthedev adrianthedev merged commit 9e3a2e5 into avo-hq:main Aug 8, 2023
9 checks passed
@adrianthedev
Copy link
Collaborator

Yeah, ransack is not an actual dependency for Avo. The dep updated in the Appraisal file is just for the CI system.

Thanks for that!

@veelenga veelenga deleted the ve-bump-ransack branch August 8, 2023 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants