Rails Sprockets Vulnerability

I'm sure most folks have heard about it by now, but there was a major security vulnerability reported in the Rails asset pipeline this week: https://blog.heroku.com/rails-asset-pipeline-vulnerability

Update your gems, and rotate your database credentials!

Happy Wednesday!

Did you find this post useful? Show some love!

I was very happy to see Heroku crash our deploy with a big fat error message. I think we were able to upgrade within the hour that this was announced yesterday.

Yeah! I was super impressed with Heroku's response. They're always on top of their game.

Out of curiosity. Is there any use case to change the option config.assets.compile to true in production?

I assumed that everybody would precompile the assets on deploy.

What are the impacts on changing


config.assets.compile = true # setting to true makes your app vulnerable

and update the sprockets?

Classic DEV Post from Jan 30

Describe the worst coding culture you've been a part of

There are a lot of ways to have bad culture, and coding is sometimes the least ...

CTO @ Prevent A Lemon. Platform Developer @ Grassriots Inc. Runner, dog person.
profile pic

Don't be a stranger

Create your DEV Profile