Set BUNDLE_FROZEN to true (!87053) · Merge requests · GitLab.org / GitLab

Thong Kuah requested to merge bundle-frozen-true into master May 10, 2022

What does this MR do and why?

See https://github.com/rubygems/rubygems.org/security/advisories/GHSA-hccv-rwq6-vh79:

Using Bundler in --frozen or --deployment mode in CI and during deploys, as the Bundler team has always recommended, will guarantee that your application does not silently switch to versions created using this exploit.

To make the pipeline pass we had to remove cp Gemfile.lock jh/. This was breaking our as-if-jh jobs, because it was making bundler compare the canonical Gemfile.lock with the JiHu jh/Gemfile version. Since JiHu uses more gems than GitLab canonical repo, the build would fail. We had this cp for legacy reasons. Right now JiHu doesn't need this anymore. For the full context, please read this very long thread. 😅

Related : #361825 (closed)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited May 20, 2022 by João Alexandre Cunha

Set BUNDLE_FROZEN to true

What does this MR do and why?

MR acceptance checklist

Merge request reports