Skip to content

chore(renovate): support transitive deps#649

Open
janishorsts wants to merge 1 commit into
mainfrom
chore-renovate-ruby-lock-file
Open

chore(renovate): support transitive deps#649
janishorsts wants to merge 1 commit into
mainfrom
chore-renovate-ruby-lock-file

Conversation

@janishorsts

@janishorsts janishorsts commented Jul 4, 2026

Copy link
Copy Markdown
Collaborator

Enables Renovate to update transitive dependencies in lockfiles (fixing Ruby on Rails security alerts).

Changes

  • Enabled lockFileMaintenance globally in renovate.json5.
  • Added .ruby-version (4.0.5) to examples/ruby-on-rails/ so Renovate can run lockfile commands.
  • Upgraded examples/ruby-on-rails/Gemfile.lock to bump vulnerable dependencies and align Bundler to 4.0.15.

@janishorsts janishorsts self-assigned this Jul 4, 2026
@janishorsts janishorsts requested a review from a team as a code owner July 4, 2026 09:43
@janishorsts janishorsts requested review from kmannislands and removed request for a team July 4, 2026 09:43
@janishorsts janishorsts enabled auto-merge (squash) July 4, 2026 09:43
@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown

➖ Are we earthbuild yet?

No change in "earthly" occurrences

📈 Overall Progress

Branch Total Count
main 5408
This PR 5408
Difference +0

Keep up the great work migrating from Earthly to Earthbuild! 🚀

💡 Tips for finding more occurrences

Run locally to see detailed breakdown:

./.github/scripts/count-earthly.sh

Note that the goal is not to reach 0.
There is anticipated to be at least some occurences of earthly in the source code due to backwards compatibility with config files and language constructs.

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: gem erb is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: examples/ruby-on-rails/Gemfile.lockgem/debug@1.11.1gem/importmap-rails@2.2.3gem/rails@8.1.3gem/dartsass-rails@0.5.1gem/erb@6.0.4

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/erb@6.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@janishorsts janishorsts changed the title chore(renovate): support ruby transitive deps chore(renovate): support transitive deps Jul 4, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request enables lockfile maintenance in the Renovate configuration and updates Ruby version and Gemfile dependencies for the Ruby on Rails example. The reviewer noted that enabling lockfile maintenance without a custom schedule defaults to a weekly run, which conflicts with the repository's monthly update strategy. It is recommended to configure the lockfile maintenance schedule to run monthly to align with the rest of the repository.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread .github/renovate.json5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ai-assisted Authored with AI assistance renovate

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant