New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

having `_danger-local-https` may result in insecure payjoin-cli build if built with `--all-features` #451

Open

nothingmuch opened this issue Jan 2, 2025 · 0 comments

Collaborator

nothingmuch commented Jan 2, 2025 •

edited

Loading

the _danger-local-https feature allows skipping certificate validation for testing purposes.

we should make sure it's not possible, or at least not easy to inadvertently build a payjoin-cli binary that has this feature enabled

note: i did not verify that --all-features doesn't skip features with leading underscores

possible approaches:

remove need for bypassing certificate checks in tests?
hide this behind a dev dependency somehow?
...?

The text was updated successfully, but these errors were encountered:

github-project-automation bot added this to Payjoin Roadmap 📝

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment