CarrierWave

External contacts

The CarrierWave team is reachable via their public GitHub issue tracker. Security issues can be reported privately via GHSA.

Security posture

CarrierWave is used for handling:

• Collection thumbnails
• Item photos and thumbnails
• Site logo (header) and favicon

All of these endpoints are only accessible by administrators. For the Key Treasures deployment of Mall on Rails, the threat is very small as WTI SSO enforces 2FA for all WTI staff. For customer deployments, this does provide a potential entrypoint to reach into the container and attempt to perform a container escape. This threat is low, as store provisioning involves a manual verification of business legitimacy.

Abandonment risk

CarrierWave is a very mature gem including multiple corporate sponsors and nearly a dozen publicly listed members in the GitHub organisation. It is very unlikely to be abandoned.

Versioning policy

Point releases will be picked up by bundle during our monthly updates.

If a major upgrade (4.0) is released, evaluation shall take place within two weeks of release, including how the release will affect MoR, code changes needed for compatibility, and continued maintenance of the 3.x branch.