Open MangoIV opened 3 months ago
I just realized that this may only ever work properly by doing solving on the direct dependencies vs the transitive dependencies because the transitive dependencies really depend on the actual solving setup, e.g. a users could have jailbroken dependencies which would now include previously excluded dependencies. The problem is that when checking the transitive deps, what happens is that you would have to check each of the possible versions for the vulnerable dependency and then flag every library that could depend on that version as "burned".
currently, as
cabal-audit
uses the cabal solver, it is mainly suited for projects that have a somewhat fixed dependency set, ideally we want to check against the entire possible version bounds in a package to makecabal-audit
work well for library authors, as well.