@bascule we control the YAML. Also, we don't activate the bundle, just use Bundler::LockfileParser.
@postmodern_mod3 is there any reason you aren't using SafeYAML with bundler-audit?
-
-
-
@postmodern_mod3 you "control" the YAML until there's another@homakov-style Github compromise ;) -
@bascule@postmodern_mod3@homakov I don’t usually own repos, but when I do I put a noisy exploit in a YAML instead of backdooring the code -
@rantyben@postmodern_mod3@homakov call me crazy, but I would prefer my security tools close known attack vectors if possible :O -
@bascule@rantyben@homakov feel free to send me a pull request. I would prefer to use Psych.safe_load /cc@tenderlove. -
@bascule@rantyben@homakov@tenderlove unfortunately, MRI 2.1 is the only Ruby that includes Psych.safe_load. :( -
@postmodern_mod3@rantyben@homakov@tenderlove what about using YAML.parse? - 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.