faker VS cargo-crev

-----> Ruby app detected-----> Compiling Ruby/Rails-----> Using Ruby version: ruby-2.5.1-----> Installing dependencies using bundler 1.15.2 Running: bundle install --without development:test --path vendor/bundle --binstubs vendor/bundle/bin -j4 --deployment Warning: the running version of Bundler (1.15.2) is older than the version that created the lockfile (1.16.3). We suggest you upgrade to the latest version of Bundler by running `gem install bundler`. Fetching gem metadata from https://rubygems.org/............ Fetching version metadata from https://rubygems.org/.. Fetching dependency metadata from https://rubygems.org/. Using rake 12.3.1 Using concurrent-ruby 1.1.3 Using minitest 5.11.3 Using thread_safe 0.3.6 Using builder 3.2.3 Using erubi 1.7.1 Using mini_portile2 2.3.0 Using crass 1.0.4 Using rack 2.0.6 Using nio4r 2.3.1 Using websocket-extensions 0.1.3 Using mini_mime 1.0.1 Using jsonapi-renderer 0.2.0 Using arel 9.0.0 Using mimemagic 0.3.2 Using public_suffix 3.0.3 Using airbrake-ruby 2.12.0 Using execjs 2.7.0 Using bcrypt 3.1.12 Using popper_js 1.14.5 Using rb-fsevent 0.10.3 Using ffi 1.9.25 Using bundler 1.15.2 Using regexp_parser 1.3.0 Using mime-types-data 3.2018.0812 Using chartkick 3.0.1 Using highline 2.0.0 Using connection_pool 2.2.2 Using orm_adapter 0.5.0 Using method_source 0.9.2 Using thor 0.19.4 Using multipart-post 2.0.0 Using geokit 1.13.1 Using temple 0.8.0 Using tilt 2.0.9 Using hashie 3.5.7 Using json 2.1.0 Using mini_magick 4.9.2 Using multi_json 1.13.1 Using newrelic_rpm 5.5.0.348 Using one_signal 1.2.0 Using xml-simple 1.1.5 Using pg 0.21.0 Using puma 3.12.0 Using rack-timeout 0.5.1 Using redis 4.0.3 Using secure_headers 6.0.0 Using swagger-ui_rails 0.1.7 Using i18n 1.1.1 Using nokogiri 1.8.5 Using tzinfo 1.2.5 Using websocket-driver 0.7.0 Using mail 2.7.1 Using marcel 0.3.3 Using addressable 2.5.2 Using rack-test 1.1.0 Using warden 1.2.8 Using sprockets 3.7.2 Using request_store 1.4.1 Using rack-protection 2.0.4 Using rack-proxy 0.6.5 Using autoprefixer-rails 9.4.2 Using uglifier 4.1.20 Using airbrake 7.4.0 Using rb-inotify 0.9.10 Using mime-types 3.2.2 Using commander 4.4.7 Using net-http-persistent 3.0.0 Using faraday 0.15.4 Using hashie-forbidden_attributes 0.1.1 Using omniauth 1.8.1 Using haml 5.0.4 Using slim 4.0.1 Using paypal-sdk-core 0.3.4 Using faker 1.9.1 from https://github.com/stympy/faker.git (at master@aca03be) Using money 6.13.1 Using loofah 2.2.3 Using xpath 3.2.0 Using activesupport 5.2.0 Using sidekiq 5.2.3 Using sass-listen 4.0.0 Using houston 2.4.0 Using stripe 4.2.0 Using paypal-sdk-adaptivepayments 1.117.1 Using monetize 1.9.0 Using rails-html-sanitizer 1.0.4 Using capybara 3.12.0 Using rails-dom-testing 2.0.3 Using globalid 0.4.1 Using activemodel 5.2.0 Using case_transform 0.2 Using decent_exposure 3.0.0 Using factory_bot 4.11.1 Using fast_jsonapi 1.5 Using groupdate 4.1.0 Using pundit 2.0.0 Using sass 3.7.2 Using actionview 5.2.0 Using activerecord 5.2.0 Using carrierwave 1.2.3 Using activejob 5.2.0 Using actionpack 5.2.0 Using bootstrap 4.1.3 Using actioncable 5.2.0 Using actionmailer 5.2.0 Using active_model_serializers 0.10.8 Using activestorage 5.2.0 Using railties 5.2.0 Using sprockets-rails 3.2.1 Using simple_form 4.1.0 Using responders 2.4.0 Using factory_bot_rails 4.11.1 Using font-awesome-rails 4.7.0.4 Using highcharts-rails 6.0.3 Using jquery-rails 4.3.3 Using lograge 0.10.0 Using money-rails 1.13.0 Using slim-rails 3.2.0 Using webpacker 3.5.5 Using rails 5.2.0 Using sass-rails 5.0.7 Using geokit-rails 2.3.1 Using swagger-docs 0.2.9 Using devise 4.5.0 Using devise_token_auth 1.0.0 Bundle complete! 68 Gemfile dependencies, 125 gems now installed. Gems in the groups development and test were not installed. Bundled gems are installed into ./vendor/bundle. Bundle completed (5.09s) Cleaning up the bundler cache. Warning: the running version of Bundler (1.15.2) is older than the version that created the lockfile (1.16.3). We suggest you upgrade to the latest version of Bundler by running `gem install bundler`. The latest bundler is 2.0.1, but you are currently running 1.15.2. To update, run `gem install bundler`-----> Installing node-v10.14.1-linux-x64-----> Installing yarn-v1.12.3-----> Detecting rake tasks-----> Preparing app for Rails asset pipeline Running: rake assets:precompile yarn install v1.12.3 warning package-lock.json found. Your project contains lock files generated by tools other than Yarn. It is advised not to mix package managers in order to avoid resolution inconsistencies caused by unsynchronized lock files. To clear this warning, remove package-lock.json. [1/5] Validating package.json... [2/5] Resolving packages... [3/5] Fetching packages... info [email protected]: The platform "linux" is incompatible with this module. info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation. [4/5] Linking dependencies... warning "@rails/webpacker > [email protected]" has unmet peer dependency "caniuse-lite@^1.0.30000697". warning " > [email protected]" has incorrect peer dependency "react@^15.4.2". warning " > [email protected]" has unmet peer dependency "classnames@^2.2.5". warning " > [email protected]" has incorrect peer dependency "react@^15.0.1". warning " > [email protected]" has unmet peer dependency "immutable@^3.8.1 || ^4.0.0-rc.1". warning "eslint-config-airbnb > [email protected]" has incorrect peer dependency "eslint-plugin-import@^2.7.0". warning " > [email protected]" has unmet peer dependency "webpack@^2.2.0 || ^3.0.0". warning "webpack-dev-server > [email protected]" has unmet peer dependency "webpack@^1.0.0 || ^2.0.0 || ^3.0.0". [5/5] Building fresh packages... $ cd client && yarn yarn install v1.12.3 warning package-lock.json found. Your project contains lock files generated by tools other than Yarn. It is advised not to mix package managers in order to avoid resolution inconsistencies caused by unsynchronized lock files. To clear this warning, remove package-lock.json. [1/5] Validating package.json... [2/5] Resolving packages... [3/5] Fetching packages... info [email protected]: The platform "linux" is incompatible with this module. info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation. [4/5] Linking dependencies... warning " > [email protected]" has unmet peer dependency "webpack@2 || 3". warning " > [email protected]" has incorrect peer dependency "react@^0.14.9 || ^15.0.0". warning " > [email protected]" has incorrect peer dependency "react@^15". warning " > [email protected]" has incorrect peer dependency "react@^15". warning " > [email protected]" has incorrect peer dependency "[email protected] || 0.14.x || ^15.0.0-0 || 15.x". warning " > [email protected]" has unmet peer dependency "webpack@>=1.11.0". warning " > [email protected]" has unmet peer dependency "webpack@1 || ^2 || ^2.1.0-beta || ^2.2.0-rc || ^3". warning "image-webpack-loader > [email protected]" has unmet peer dependency "webpack@^2.0.0 || ^3.0.0 || ^4.0.0". warning " > [email protected]" has incorrect peer dependency "react@^15.6.1". [5/5] Building fresh packages... Done in 31.85s. Done in 76.09s. Webpacker is installed 🎉 🍰 Using /tmp/build_8f521e11fc612876bcd3c01cd8da6bdd/config/webpacker.yml file for setting up webpack paths Compiling… Compilation failed: FATAL ERROR: Ineffective mark-compacts near heap limit Allocation failed - JavaScript heap out of memory 1: 0x8dbaa0 node::Abort() [node] 2: 0x8dbaec [node] 3: 0xad83de v8::Utils::ReportOOMFailure(v8::internal::Isolate*, char const*, bool) [node] 4: 0xad8614 v8::internal::V8::FatalProcessOutOfMemory(v8::internal::Isolate*, char const*, bool) [node] 5: 0xec5c42 [node] 6: 0xec5d48 v8::internal::Heap::CheckIneffectiveMarkCompact(unsigned long, double) [node] 7: 0xed1e22 v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::GCCallbackFlags) [node] 8: 0xed2754 v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) [node] 9: 0xed53c1 v8::internal::Heap::AllocateRawWithRetryOrFail(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment) [node] 10: 0xe9e844 v8::internal::Factory::NewFillerObject(int, bool, v8::internal::AllocationSpace) [node] 11: 0x113dfae v8::internal::Runtime_AllocateInNewSpace(int, v8::internal::Object**, v8::internal::Isolate*) [node] 12: 0x2daefc5be1d <--- Last few GCs ---> [587:0x2713f20] 1469419 ms: Mark-sweep 1362.0 (1417.7) -> 1361.9 (1418.2) MB, 1183.8 / 0.0 ms (average mu = 0.099, current mu = 0.004) allocation failure scavenge might not succeed [587:0x2713f20] 1470575 ms: Mark-sweep 1363.1 (1418.7) -> 1362.9 (1419.7) MB, 1151.7 / 0.0 ms (average mu = 0.053, current mu = 0.004) allocation failure scavenge might not succeed <--- JS stacktrace ---> ==== JS stack trace ========================================= 0: ExitFrame [pc: 0x2daefc5be1d] Security context: 0x395bbaa1e6e1 1: addMappingWithCode [0x1a4bb3f1a89] [/tmp/build_8f521e11fc612876bcd3c01cd8da6bdd/node_modules/webpack-sources/node_modules/source-map/lib/source-node.js:~150] [pc=0x2daf487dfd2](this=0x08663a09ad49 ,mapping=0x2969e26a1e61 ,code=0x3e38d99f4479 ) 2: /* anonymous */ [0x1a4bb3dcc79] [/tmp/... ! ! Precompiling assets failed. ! ! Push rejected, failed to compile Ruby app. ! Push failed I've tried various methods in my package.json file: "scripts" : { "start": "cross-env NODE\_OPTIONS=--max\_old\_space\_size=5120 webpack"}"scripts" : { "webpacker": "node --max-old-space-size=4096 node\_modules/.bin/react-scripts start"}"scripts" : { "start": "node --max-old-space-size=6144 client/app/app.js"} I've researched and found various github and stackoverflow threads but they do not seem to fix my issue. https://github.com/npm/npm/issues/12238 Increase JavaScript Heap size in create-react-app project Here is my package.json file: { "name": "safe\_deliver", "private": true, "engines": { "node": ">=6.0.0", "yarn": ">=0.25.2" }, "scripts": { "postinstall": "cd client && yarn", "pre-commit": "cd client && npm run lint:staged", "start": "cross-env NODE\_OPTIONS=--max-old-space-size=6144 bin/webpack" }, "dependencies": { "@fortawesome/fontawesome": "^1.1.8", "@fortawesome/fontawesome-free": "^5.3.1", "@fortawesome/fontawesome-free-brands": "^5.0.13", "@fortawesome/fontawesome-free-regular": "^5.0.13", "@fortawesome/fontawesome-free-solid": "^5.0.13", "@fortawesome/fontawesome-svg-core": "^1.2.4", "@fortawesome/free-solid-svg-icons": "^5.3.1", "@fortawesome/react-fontawesome": "^0.1.3", "@rails/webpacker": "^3.3.1", "babel-plugin-emotion": "^9.2.6", "babel-preset-react": "^6.24.1", "babel-preset-stage-0": "^6.24.1", "bootstrap": "4.0.0", "chart.js": "^2.7.3", "chartkick": "^3.0.1", "emotion": "^9.2.6", "google-maps-react": "^2.0.2", "jquery": "^3.2.1", "jquery-ujs": "^1.2.2", "leaflet": "^1.3.1", "normalize.css": "^8.0.1", "popper.js": "^1.12.9", "prop-types": "^15.6.1", "rc-time-picker": "^3.6.2", "react": "^16.4.1", "react-addons-css-transition-group": "^15.6.2", "react-animate-height": "^2.0.5", "react-bootstrap-table-next": "^1.4.0", "react-calendar": "^2.16.0", "react-datepicker": "^2.3.0", "react-dom": "^16.4.1", "react-emotion": "^9.2.6", "react-fontawesome": "^1.6.1", "react-geocode": "^0.1.2", "react-https-redirect": "^1.0.11", "react-input-mask": "^2.0.4", "react-progressbar": "^15.4.1", "react-star-rating-component": "^1.4.1", "react-stripe-elements": "^2.0.1", "reactjs-popup": "^1.3.2", "redux-immutable": "^4.0.0", "reset-css": "^4.0.1", "seamless-immutable": "^7.1.4", "styled-components": "^3.4.2" }, "devDependencies": { "eslint": "3.19.0", "eslint-config-airbnb": "15.0.1", "eslint-plugin-import": "2.2.0", "eslint-plugin-jsx-a11y": "5.0.3", "eslint-plugin-react": "7.0.1", "pre-commit": "1.2.2", "webpack-dev-server": "^2.7.1" }} I am expecting this error to go away and the application to be deployed. Right now it is throwing javascript heap out of memory error. Answer link : https://codehunter.cc/a/reactjs/how-to-fix-fatal-error-ineffective-mark-compacts-near-heap-limit-allocation-failed-javascript-heap-out-of-memory-error

https://github.com/stympy/faker/ - Copyright (c) 2007-2010 Benjamin Curtis

[]JavaFaker](https://github.com/DiUS/java-faker) is an open-source library based on Faker to generate fake data.

If your are using gems like faker , factory_bot_rails and database_cleaner to create and clean test records then creating unnecessary records can cost you time and speed.

In other cases it may be more documented, such as Golangs baked-in telemetry.

There should be better ways to check these problems. The best I have found so far is Crev https://github.com/crev-dev/crev/. It's most used implementation is Cargo-crev https://github.com/crev-dev/cargo-crev, but hopefully it will become more required to use these types of tools. Certainty and metrics about how many eyes have been on a particular script, and what expertise they have would be a huge win for software.

The main problem the author is talking about is actually about version updates, which in Maven as well as crates.io is up to each lib's author, and is not curated in any way.

There's no technical solution to that, really. Do you think Nexus Firewall can pick up every exploit, or even most? How confident of that are you, and what data do you have to back that up? I don't have any myself, but would not be surprised at all if "hackers" can easily work around their scanning.

However, I don't have a better approach than using scanning tools like Nexus, or as the author proposes, use a curated library repository like Debian is doing (which hopefully gets enough eyeballs to remain secure) or the https://github.com/crev-dev/cargo-crev project (manually reviewed code) also mentioned. It's interesting that they mention C/C++ just rely on distros providing dynamic libs instead which means you don't even control your dependencies versions, some distro does (how reliable is the distro?)... I wonder if that could work for other languages or if it's just as painful as it looks in the C world.

For instance, the worst company imaginable may be in charge of software that was once FOSS, and they may change absolutely nothing about it, so it should be fine. However, if a small update is added that does something bad, you should know about it immediately.

The solution seems to be much more clearly in the realm of things like crev: https://github.com/crev-dev/cargo-crev/

Wherein users can get a clear picture of what dependencies are used in the full chain, and how they have been independently reviewed for security and privacy. That's the real solution for the future. A quick score that is available upon display everytime you upgrade, with large warnings for anything above a certain threshold.

The metrics on crates.io are a useful sniff test, but ultimately you need to review things yourself, or trust some contributors and reviewers. Some projects, like cargo crev or cargo vet can help with the process.

You can use cargo-geiger or cargo-crev to check for whether people you trusted (e.g. u/jonhoo ) trust this crate.

There is a similar idea being explored with https://github.com/crev-dev/cargo-crev - you trust a reviewer who reviews crates for trustworthiness, as well as other reviewers.

[cargo-crev](https://github.com/crev-dev/cargo-crev) looks like a good step in the right direction but not really commonly used.

'cargo crev' makes this kind of workflow possible: https://github.com/crev-dev/cargo-crev

The crev folks themselves are no fans of PGP but need a way to security identify that you are in fact the review author, so that's where the id generation comes in. Ultimately crev is just a bunch of repos with text files you sign with IDs. The nice property is that you can chain these together into a web of trust and it's unfortunate that vet doesn't just use the same signed files on repos model as a foundation because even if they don't trust anyone else, we could turn around and trust them.