@postmodern_mod3 is there any reason you aren't using SafeYAML with bundler-audit?
@rantyben @postmodern_mod3 @homakov call me crazy, but I would prefer my security tools close known attack vectors if possible :O
-
-
@bascule@rantyben@homakov feel free to send me a pull request. I would prefer to use Psych.safe_load /cc@tenderlove. -
@bascule@rantyben@homakov@tenderlove unfortunately, MRI 2.1 is the only Ruby that includes Psych.safe_load. :( -
@postmodern_mod3@rantyben@homakov@tenderlove what about using YAML.parse? -
@bascule we could also use YAML.parse and explicitly coerce the nodes. That seems to be the most pragmatic solution. -
@bascule and we already have a simple schema listing https://github.com/rubysec/ruby-advisory-db#schema … -
@postmodern_mod3 if you asked@indirect he'd probably tell you to make a simple text format with a minimal string.split parser - 2 more replies
New conversation -
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.