Insecure version of rake used all over hammer

A lot of hammer repositories have pinned to an ancient and insecure version of Rake which triggers security warnings (CVE-2020-8130). I’ve tried to submit one PR but it fails all over.

Note that this is copied into basically all hammer repositories.

I’d like to ask the various maintainers to take a look at this.

Is it used anywhere outside the test group? i.e. does this only affects development, not production usage?

Seems that we’ve got that dependency used only in test/dev environment, so it shouldn’t affect production usage. Although we plan to update it and fix failing tests (or the cause of it).

1 Like

Since this hasn’t been resolved and I get a weekly email about this, I’ve given the appropriate teams permissions to see these as well. Those teams will probably get the same weekly reminder now.