You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be nice if you could specify CVEs to ignore via a config file, similar to bundler-audit's config file, instead of needing to append them each to the ruby-audit command using -i.
The text was updated successfully, but these errors were encountered:
What should happen if someone specifies ignored CVEs through both the -i command line option and the config file? It looks like bundler-audit's logic says: if there are ignored CVEs specified through the -i command line option, then they override whatever is in the config file, instead of adding to it. I'm not so sure about this choice, but maybe it's best to follow the same convention so that users of both ruby_audit and bundler-audit aren't surprised?
Edit: Also, should we use the same default config filename, .bundler-audit.yml? And the same structure? I can see an argument for not wanting to tightly couple our config file to theirs, but I can also see an argument for not making users keep two config files in sync.
It would be nice if you could specify CVEs to ignore via a config file, similar to bundler-audit's config file, instead of needing to append them each to the ruby-audit command using
-i
.The text was updated successfully, but these errors were encountered: