Skip to content

Use frozen setting to disallow changes to Gemfile.lock

Anastasia McDonald requested to merge qa-use-frozen-in-danger-review into master

As per the Rubygems.org advisory, we should use either the frozen or deployment options as defense-in-depth to mitigate supply chain attacks - https://github.com/rubygems/rubygems.org/security/advisories/GHSA-hccv-rwq6-vh79

Please note that --frozen flag is deprecated so we should use bundle config set --local frozen 'true' instead.

See gitlab-org/gitlab-pages#758 (closed)

Edited by Anastasia McDonald

Merge request reports

Loading