Skip to content

chore: check in Gemfile.lock for supply chain security#116

Merged
marandaneto merged 1 commit intomainfrom
chore/check-in-gemfile-lock
Mar 31, 2026
Merged

chore: check in Gemfile.lock for supply chain security#116
marandaneto merged 1 commit intomainfrom
chore/check-in-gemfile-lock

Conversation

@marandaneto
Copy link
Copy Markdown
Member

@marandaneto marandaneto commented Mar 31, 2026

Problem

Gemfile.lock was gitignored, so every CI run (bundle install) resolved fresh dependencies. If a transitive dependency gets compromised between runs, CI silently pulls the malicious version with no diff to review.

CI runs bundle install across 3 Ruby versions (3.2, 3.3, 3.4) — all resolving independently without a lock file.

Changes

  • Removed Gemfile.lock from .gitignore
  • Generated and committed Gemfile.lock — pins all 80+ direct and transitive dependencies with checksums (Bundler 2.4+ includes a CHECKSUMS section for integrity verification)
  • To update dependencies: run bundle update and commit the diff

@marandaneto
chore: check in Gemfile.lock for supply chain security
2d71da4 
- Remove Gemfile.lock from .gitignore
- Generated lock file pins all 80+ direct and transitive dependencies
  with checksums (Bundler 2.4+)
- CI was running 'bundle install' fresh across 3 Ruby versions without
  a lock file, allowing transitive deps to silently change between runs
@marandaneto marandaneto requested a review from a team March 31, 2026 11:53
@marandaneto marandaneto merged commit 3e538c4 into main Mar 31, 2026
15 checks passed
@marandaneto marandaneto deleted the chore/check-in-gemfile-lock branch March 31, 2026 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dustinbyrne dustinbyrne dustinbyrne approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marandaneto @dustinbyrne