Skip to content

Warn about vendored versionless packages #305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 17, 2025
Merged

Warn about vendored versionless packages #305

merged 4 commits into from
Jul 17, 2025

Conversation

3v0k4
Copy link
Contributor

@3v0k4 3v0k4 commented Jul 17, 2025
edited
Loading

Hey, first of all, thanks for your work on this gem 🙏

In my project, I got a vendored bootstrap as follows:

# config/importmap.rb
pin "bootstrap", preload: true

Problem is, without the version, audit and outdated (and pristine) ignored that package. Which, is not great because not only the vendored version (v3.4.1) is outdated, but also because it has a vulnerability.

If I change the importmap to:

# config/importmap.rb
pin "bootstrap", preload: true # @3.4.1

Then, I can see the audit:

| Package   | Severity | Vulnerable versions | Vulnerability                                      |
|-----------|----------|---------------------|----------------------------------------------------|
| bootstrap | moderate | >=2.0.0 <=3.4.1     | Bootstrap Cross-Site Scripting (XSS) vulnerability |
  1 vulnerability found: 1 moderate

And outdated:

| Package   | Current | Latest |
|-----------|---------|--------|
| bootstrap | 3.4.1   | 5.3.7  |
  1 outdated package found

This PR adds a warning about versionless vendored packages for that reason.

@3v0k4 3v0k4 changed the title Warn about vendored versionless packages WIP: Warn about vendored versionless packages Jul 17, 2025
@3v0k4 3v0k4 changed the title WIP: Warn about vendored versionless packages Warn about vendored versionless packages Jul 17, 2025
@rafaelfranca
Improve code organization
14068d4
@rafaelfranca
Decrease complexity of vendored_packages_without_version method
ae259e9 
It was O(n^2) because it iterated over packages_with_versions
multiple times.

Now it is O(n) because it uses a set to track versioned packages
and checks membership in constant time.

Also do a single pass in the importmap lines to find unversioned
packages.
@rafaelfranca
Remove so many nested blocks in the test
2d711e1 
The files are already inside a tmpdir, we don't need to delete them
after the use.
@rafaelfranca rafaelfranca merged commit 9cd897f into rails:main Jul 17, 2025
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@3v0k4 @rafaelfranca