Skip to content

Warn about vendored versionless packages #305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jul 17, 2025
Merged

Conversation

3v0k4
Copy link
Contributor

@3v0k4 3v0k4 commented Jul 17, 2025

Hey, first of all, thanks for your work on this gem 🙏

In my project, I got a vendored bootstrap as follows:

# config/importmap.rb
pin "bootstrap", preload: true

Problem is, without the version, audit and outdated (and pristine) ignored that package. Which, is not great because not only the vendored version (v3.4.1) is outdated, but also because it has a vulnerability.

If I change the importmap to:

# config/importmap.rb
pin "bootstrap", preload: true # @3.4.1

Then, I can see the audit:

| Package   | Severity | Vulnerable versions | Vulnerability                                      |
|-----------|----------|---------------------|----------------------------------------------------|
| bootstrap | moderate | >=2.0.0 <=3.4.1     | Bootstrap Cross-Site Scripting (XSS) vulnerability |
  1 vulnerability found: 1 moderate

And outdated:

| Package   | Current | Latest |
|-----------|---------|--------|
| bootstrap | 3.4.1   | 5.3.7  |
  1 outdated package found

This PR adds a warning about versionless vendored packages for that reason.

@3v0k4 3v0k4 changed the title Warn about vendored versionless packages WIP: Warn about vendored versionless packages Jul 17, 2025
@3v0k4 3v0k4 changed the title WIP: Warn about vendored versionless packages Warn about vendored versionless packages Jul 17, 2025
It was O(n^2) because it iterated over packages_with_versions
multiple times.

Now it is O(n) because it uses a set to track versioned packages
and checks membership in constant time.

Also do a single pass in the importmap lines to find unversioned
packages.
The files are already inside a tmpdir, we don't need to delete them
after the use.
@rafaelfranca rafaelfranca merged commit 9cd897f into rails:main Jul 17, 2025
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants