6 years ago, was the beginning of a new adventure. At the time, I was part of a group of developers that were among the firsts to detect the need to monitor software dependencies. We were managing multiple projects and had a hard time keeping up with all the ruby on rails and gems vulnerabilities. We were afraid of missing an important vulnerability, and couldn’t find a service to do the job.
After months of hard work and just in time for the holidays, we are thrilled to announce the immediate availability of Java support in Gemnasium.com and Gemnasium Enterprise 1.5. Starting with an integration with Maven, you can use Gemnasium to monitor security vulnerabilities in your java codebase hosted in the cloud or in your self-hosted code repository of choice. We would like to acknowledge our early adopters who helped us test this latest functionality during the private beta.
With bundle 2.0 just around the corner, some changes are coming in the Ruby community. The most visible breaking change will be the usage of new files to replace Gemfile and Gemfile.lock. There have been a lot of discussion around these files, started in 2010. The core team has decided to rename these files to gems.rb and gems.lock. It will be now the default files for all ruby projects using dependencies.
A Slovak security team published last week a security advisory on some PyPI packages. In summary: “SK-CSIRT identified malicious software libraries in the official Python package repository, PyPI, posing as well known libraries. A prominent example is a fake package urllib-1.21.1.tar.gz, based upon a well known package urllib3-1.21.1.tar.gz. Such packages may have been downloaded by unwitting developer or administrator by various means, including the popular “pip” utility (pip install urllib).
Welcome to this new npm monthly! It covers a bit more than the last month as we took a summer break from these updates. In this edition, we have a lot to share for some major npm packages used by thousands and thousands of you, dear readers! React 16 betas & RCs The first beta of React was released in July, followed by 4 more betas and release candidates. You can learn all the details about what’s in this new version in this GH issue.
Hey folks, after the summer break, we’re back with our Rubygems Monthly newsletter! Quick news about Gemnasium: we are now on the GitHub Marketplace we started the work on adding support for Java recently…and if you want to get it earlier than everyone, just go here. The Java support will come to Gemnasium Enterprise first. That’s the biggest news of the last few weeks :) Let’s talk about the major gem releases of the last month now!
Hey folks, JP from Gemnasium here for our monthly npm digest! If you want to get this in your inbox monthly, you can subscriber with the little popup at the bottom left or just here. Also, if you’re interested, we have similar blog posts for Ruby, Python and PHP. So, what’s new and worth your time this month? Chai 4 HUGE release for Chai. It’s faster, thanks to the rewritten deep equality code.
Rubygems Monthly: Sinatra 2, Bundler 1.15, Rubocop, CanCanCan 2, Devise, Puma and ActsAsTaggableOn 5
Hey folks, JP from Gemnasium with you here today. We started to do Rubygems Monthly and other similar ones for npm, PyPI, and PHP a month ago. Reception is great, so here’s the second edition! Before we dive right in, in case you missed it, we published a blog post yesterday called “How to deal with major Ruby on Rails upgrades (like moving from 4.1 to 5.1)” which is going through the framework we use for big app upgrades with the customers of our professional services (yes, we do some consulting!
Who doesn’t like to build new apps? As much as it’s fun building new things, we also need to maintain and upgrade apps over time. Most people prefer to build new apps, and we can understand that. But we also like to maintain older apps. Make them fresh again. Part of the lifecycle of an app is upgrading dependencies to newer ones, especially when they get vulnerable to some security issues, or when you use versions that are not maintained anymore.