Devise
| Upstream URL | Security Risk | Abandonment Risk |
|---|---|---|
| https://github.com/heartcombo/devise | Very High | Very Low |
External contacts
The Devise team is reachable via their public GitHub issue tracker. Security reports are taken via a private Google Groups alias.
Security posture
Devise is used to authenticate both external customers and administrators. Any security vulnerability in Devise could allow unauthorised access to the administrator panel, or customer order history. This makes Devise one of the most critical dependencies for the security of RR.
Abandonment risk
The Devise project is mature and its primary maintainers have a consultancy around it. It is very unlikely to be abandoned. If it were, the wider Rails community should be surveyed to determine if continued maintenance could be negotiated between us.
Versioning policy
Minor / point releases will be pulled in via bundle during our monthly update.
If a Devise 5.x were to be released, evaluation shall take place within one week of the release. We have a large amount of test coverage, so core flows are unlikely to break. However, we use custom views for the Customer sign in (to support our OmniAuth flows) and OmniAuth controller integration which would need to have deeper inspection for continued compatibility.