Have the CI process attempt to automatically bump gems in response to CVEs #68
Description
@timgentry wrote:
Is there any merit in getting the CI server to attempt to patch-version bump dependencies when we get CVE warnings? I.e. update the gem and then commit the vendored gem and Gemfile changes if all tests pass?
@joshpencheon wrote:
I’m wondering if trying it at the end of the main CI loop would be sensible, because no point doing it in the middle of a stream of commits being processed, and that way I think you’d also get the “cleanup” logic for free. I don’t think you could limit to patch-version bumps as a) not everything is semantically versioned, and b) the CVE fix might be a bigger change (they rarely are, though). You’d be relying on the test suite to detect regressions, but think this is reasonable.
If a process watching for commits is also committing, it would would need to be mindful of other commits made in the interim - i.e. would need to remember the last commit that was properly “CI’d” , and start again from there, rather than from a CVE-addressing commit.