FYI: CII Best Practices badge site continues to get updates

David A. Wheeler

FYI: We continue the work keep the CII Best Practices badge site working smoothly. In particular, we've done a number of updates to keep things going over the last several months. You generally should NOT notice these updates from the user side. If you're curious, I've listed below some of the updates we've done.

That's not including various functional refinements, such as inserting word breaks in the projects page (so the display is better on small screens).

As you can see by the recent progress email, the number of participating & passing projects continues to grow. My thanks to everyone!!

--- David A. Wheeler

====== DETAILS ======

Various updates:
* We've updated from PostgreSQL 9.4 to 11.5.
* We've updated from Ruby 2.5.1 to Ruby 2.6.3
* Our test infrastructure (on CircleCI) uses an updated image.  We had been running on an old Ubuntu 14.04 image.  We're now running on a custom ruby:2.5.1-stretch image, and we have a posted Docker file to create the custom image.
* We've updated our JavaScript test framework to Capybara+Selenium+ChromeDriver.  We were previously using PhantomJS, but its development had suspended as of 2019-03-03.
* We continue to update individual libraries.  This includes nokogiri, webmock, hashdiff, mini_mime, public_suffix, bundler, railroader, addressable, archive-zip, autoprefixer-rails, bindex, docile, ffi, gitlab, jwt, mime-types-data, and more.
* We've countered CVE-2015-9284 in omniauth.  Unfortunately, at the time of this
 writing the omniauth folks STILL have not fixed it (!). That is, of course, very concerning.
  There is a shim by a third party that *does* fix it: omniauth-rails_csrf_protection.
 I reviewed the code and it looks okay.
  To provide a stronger guarantee that what I reviewed is what will
  be loaded, I'm specifying a specific hash reference.  That's no
 guarantee, but it does make attacks harder to perform.