Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filter on dependencies - exclude dev and test #389

Open
so87 opened this issue Oct 16, 2023 · 3 comments
Open

Filter on dependencies - exclude dev and test #389

so87 opened this issue Oct 16, 2023 · 3 comments
Labels

Comments

@so87
Copy link

so87 commented Oct 16, 2023

Description

other tools like npm-audit can filter on production dependencies with "--prod". This cuts down on findings in general, but allows developers to focus on the most important issues.

@so87 so87 added the feature label Oct 16, 2023
@so87 so87 changed the title Filter on dependencies - exclude dev and test d Filter on dependencies - exclude dev and test Oct 16, 2023
@postmodern
Copy link
Member

Bundler does support dependency groups, however those are only used to activate specific sets of dependencies. The information isn't stored in the Gemfile.lock. We'd need to load the Gemfile, filter by dependency group, then parse the Gemfile.lock and filter the gems that belong to that group.

@so87
Copy link
Author

so87 commented Oct 17, 2023

@postmodern ok so i should do a build command then audit on that gemfile.lock.

Last question - do you guys support any type of audit fix command, or plan to in the future?

@postmodern
Copy link
Member

@postmodern ok so i should do a build command then audit on that gemfile.lock.

bundle-audit is designed to audit the current versions in Gemfile.lock, which represents the versions that will be installed and ran in production.

Last question - do you guys support any type of audit fix command, or plan to in the future?

That already exists in the form of bundle update. Most security advisories can be solved by simply upgrading to the latest version of the effected gem. Unless you have specifically locked down a gem's version to ~> X.Y.Z in the Gemfile (~> X.Y is a safer dependency range), it should be possible to upgrade to the latest patch-version with bundle up gem-name-here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants