Use bundle-audit rake task from the gem

[odlp]

Instead of defining the audit task from scratch, we can now import the task from the gem itself.

One caveat: The task name changes from bundler:audit to bundle:audit as defined by the gem. We could make an alias between the old & new command but I suspect most use is just via the default Rake task.

[houndci-bot]

Prefer single-quoted strings when you don't need string interpolation or special symbols.

[houndci-bot]

Prefer single-quoted strings when you don't need string interpolation or special symbols.

[houndci-bot]

Prefer single-quoted strings when you don't need string interpolation or special symbols.
%-literals should be delimited by ( and ).

[croaky]

Should this be task default: ["spec", "bundle:audit"]?

[odlp]

Although it may be clearer what's going on defined as one line, is it lumping together responsibilities? I think we should augment the default task with bundle:audit independently of expecting the specs to run.

Having said that, I did find Rake's behaviour of find the append (rather-than-redefine) mechanism confusing at first... it's not clear.

# Rakefile

task :foo do
  puts "FOO"
end

task :bar do
  puts "BAR"
end

task(:default).clear
task default: :foo
task default: :bar

$ bundle exec rake
FOO
BAR

---

One way we could make this clearer is writing it as:

Rake::Task[:default].enhance ["bundle:audit"]

Then there's less confusion whether the task is being overwritten or modified.

[odlp]

@croaky also this comment on the original PR for context: #831 (comment)

[croaky]

Although it may be clearer what's going on defined as one line, is it lumping together responsibilities? I think we should augment the default task with bundle:audit independently of expecting the specs to run.

I think I'd expect rake in a Suspender-ized app to run spec then bundle:audit at this point. If that's what is happening via multiple task default: invocations, that's great.

Related: I learned about https://github.com/presidentbeef/brakeman last week. Seems like it covers security cases additional to Bundle Audit. Might be worth experimenting with on some apps.

[delphaber]

@croaky we are using brakeman in our suspenders fork. I can cherry-pick and create a PR if you are interested!

[houndci-bot]

Prefer single-quoted strings when you don't need string interpolation or special symbols.

[houndci-bot]

Prefer single-quoted strings when you don't need string interpolation or special symbols.

[houndci-bot]

Prefer single-quoted strings when you don't need string interpolation or special symbols.
%-literals should be delimited by ( and ).

[odlp]

Disregarding the Hound single-quoted strings warnings because the changes match the current formatting of the files changed, and the thoughtbot Ruby styleguide states:

Prefer double quotes for strings.

We could disable this check by adding a .rubocop.yml entry for this rule like this.

[croaky]

Nice! Do we need to update any generated RSpec task to reference bundle:audit now instead of bundler:audit? I think we configure it to run after the suite passes.

[croaky]

I like the idea of switching the Hound config to prefer double quotes strings and moving toward that over time as files are touched.

[odlp]

@croaky yes, the default Rake task (which has :spec defined a few lines above), gets the "bundle:audit" task appended to it. I've updated that as part of the PR on this line.

So ultimately the Rakefile in a new Suspenders project looks like this:

# Add your own tasks in files placed in lib/tasks ending in .rake,
# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.

require_relative 'config/application'

Rails.application.load_tasks
task(:default).clear
task default: [:spec]

if defined? RSpec
  task(:spec).clear
  RSpec::Core::RakeTask.new(:spec) do |t|
    t.verbose = false
  end
end

task default: "bundle:audit"

So task default ends up being [:spec, "bundle:audit"] because Rake appends to a pre-declared task.