New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Fix #10570] Add new Gemspec/DependencyVersion
cop
#10572
[Fix #10570] Add new Gemspec/DependencyVersion
cop
#10572
Conversation
config/default.yml
Outdated
@@ -242,6 +242,18 @@ Gemspec/DateAssignment: | |||
Include: | |||
- '**/*.gemspec' | |||
|
|||
Gemspec/DependencyVersion: | |||
Description: 'Requires or forbids specifying gem dependency versions.' | |||
Enabled: pending |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a similar argument in #7669, I think it should be disabled by default.
Enabled: pending | |
Enabled: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I think .rubocop.yml should be revert back together too, so I'll fix this directly on my local branch.
2c7c849
to
9a98087
Compare
I think you can enable this for RuboCop itself. I'm a fan of explicit versions everywhere. |
Resolve: rubocop#10570. This cop requires/forbids version specifications or a commit reference for gem dependency in gemspec. ## example ```ruby # EnforcedStyle: required (default) # bad Gem::Specification.new do |spec| spec.add_dependency 'rubocop' end # good Gem::Specification.new do |spec| spec.add_dependency 'rubocop', '~> 1.28' end ``` ```ruby # EnforcedStyle: forbidden # bad Gem::Specification.new do |spec| spec.add_dependency 'rubocop', '~> 1.28' end # good Gem::Specification.new do |spec| spec.add_dependency 'rubocop' end ```
9a98087
to
04b7955
Compare
Thank you for your review, I've updated PR. |
Thanks! |
Just a sidenote from my experience - I've maintain a lot of very simple gems, required for my project and I found out the best experience - to store This allow fine tuning for |
I also have this idea. Unlike applications, the |
Follow up #10572. REXML dependency was introduced in #7701. It makes sense to specify the latest secure REXML version 3.2.5 or higher: https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/ And it would be clearer to specify `>= X.Y.Z` and `<= X.Y` than to use `~> X.Y` and `>= X.Y.Z` when it comes to protected semantic MAJOR version with required minimum PATCH version.
Resolves #10570.
This cop requires/forbids version specifications or a commit reference for gem dependency in gemspec.
The name for cop suggested in the issue was
GemVersion
, but I'm renaming it because cop is interested in the version of the dependency, not the gem owning gemspec.example
Before submitting the PR make sure the following are checked:
[Fix #issue-number]
(if the related issue exists).master
(if not - rebase it).bundle exec rake default
. It executes all tests and runs RuboCop on its own code.{change_type}_{change_description}.md
if the new code introduces user-observable changes. See changelog entry format for details.