Devise
| Upstream URL | Security Risk | Abandonment Risk |
|---|---|---|
| https://github.com/heartcombo/devise | Very High | Very Low |
External contacts
The Devise team is reachable via their public GitHub issue tracker. Security reports are taken via a private Google Groups alias.
Security posture
OmniAuth is used to authenticate both external customers and administrators. Any security vulnerability in OmniAuth or any of the plugins that we use (termed strategies upstream) could allow unauthorised access to the administrator panel, or customer order history. This makes OmniAuth one of the most critical dependencies for the security of MoR.
Abandonment risk
The Devise project is mature and its primary maintainers have a consultancy around it. It is very unlikely to be abandoned. If it were, the wider Rails community should be surveyed to determine if continued maintenance could be negotiated between us.
Versioning policy
Minor / point releases will be pulled in via bundle during our monthly update.
If a Devise 5.x were to be released, evaluation shall take place within one week of the release. We have a large amount of test coverage, so core flows are unlikely to break. However, we use custom views for the Customer sign in (to support our OmniAuth flows) and OmniAuth controller integration which would need to have deeper inspection for continued compatibility.