Better Security Through Package Fingerprints

1 ยท Phil Haack ยท May 13, 2019, midnight
It seemed like an innocuous enough update. Someone yanked bootstrap-sass ruby gem version 3.2.0.2 and published 3.2.0.3. Ruby gems more or less follows the SemVer versioning scheme (albeit with an extra version number). An increment of the patch number communicates that this release should be a safe bug fix update. The command, bundle update --patch, should be safe as it updates to the next patch version which should be safe. Only, in this case, it was not. Version 3.2.0.3 of bootstrap-sass cont...