RubyGems · rubygems.org
spree_cm_commissioner
Rb Install Time System: Direct shell invocation paired with eval/dynamic-require/network/deserialize.
Why PkgRadar flagged 2.8.3.pre.pre7
| Severity | Signal | Evidence |
|---|---|---|
| high | Rb Install Time System | Direct shell invocation paired with eval/dynamic-require/network/deserialize. · Rakefile |
| high | Rb Install Time Unsafe Deserialize | Marshal.load / YAML.unsafe_load — RCE if attacker-controlled. · Rakefile |
| high | Credential file access | matched "AWS_ACCESS_KEY" · app/interactors/spree_cm_commissioner/invalidate_cache_request.rb |
| high | Credential file access | matched "AWS_ACCESS_KEY" · app/interactors/spree_cm_commissioner/waiting_room_latest_system_metadata_puller.rb |
| high | Credential file access | matched "AWS_ACCESS_KEY" · lib/spree_cm_commissioner/s3_url_generator.rb |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
2.8.3.pre.pre7 | High risk | 75 | 2026-06-13 |
2.8.3.pre6 | High risk | 75 | 2026-06-10 |
2.8.3.pre.pre5 | High risk | 75 | 2026-06-09 |
2.8.3.pre.pre4 | High risk | 75 | 2026-06-08 |
2.8.3 | High risk | 75 | 2026-06-05 |
2.8.3.pre.pre1 | High risk | 75 | 2026-06-04 |
2.8.2.pre.pre.9 | High risk | 75 | 2026-06-02 |
2.8.2.pre.pre.8 | High risk | 75 | 2026-06-02 |
2.8.2.pre.pre.7 | High risk | 75 | 2026-06-02 |
2.8.2.pre.pre.6 | High risk | 75 | 2026-06-02 |
2.8.2.pre.pre.5 | High risk | 75 | 2026-06-01 |
2.8.2.pre.pre.4 | High risk | 75 | 2026-06-01 |
2.8.2.pre.pre.3 | High risk | 75 | 2026-06-01 |
2.8.2.pre.pre.2 | High risk | 75 | 2026-05-31 |
2.8.2 | High risk | 75 | 2026-05-30 |
2.8.2.pre.pre.1 | High risk | 75 | 2026-05-30 |
2.8.1.pre.pre.4 | High risk | 75 | 2026-05-30 |
Block this in CI
pkgradar gate --ecosystem rubygems [email protected]