RuboCop
| Upstream URL | Security Risk | Abandonment Risk |
|---|---|---|
| https://rubocop.org/ | Medium | Very Low |
External contacts
The RuboCop team is reachable via their public GitHub issue tracker. Security reports are handled via Tidelift.
Security posture
RuboCop is a development-only dependency. It is mentioned here only because it is used to perform scans which include potential security vulnerabilities. This includes our custom cop which ensures all Admin controllers inherit from AdminController, which ensures that admin resources require authentication.
Abandonment risk
RuboCop has multiple enterprise sponsors, including Airbnb, Coinbase, and DigitalOcean. It has a very well funded OpenCollective and a well defined team including many contributors. It is also part of Tidelift. For these reasons, we find it very unlikely to be abandoned.
When we are able, financially supporting RuboCop would be highly recommended.
If it were to be abandoned, it would still be useful to the Mall on Rails project in its present state. Further maintenance would likely be performed by the community.
Versioning policy
We presently pin RuboCop to 1.56.x, because that is the version used by the built-in GitLab CI/CD pipeline. When the GitLab CI/CD pipeline is updated, evaluation shall take place within one week. This includes ensuring that our code still meets any built-in expectations and that our custom cop still works correctly.