Open BebeSparkelSparkel opened 6 months ago
MangoIV
commented
6 months ago I guess you mean if you have a cabal.project file, that has source-repository packages declared, there should be information on that?
What kind of information do you imagine? A fork would still have versioning, so if you e.g. have some vulnerable library x that is vulnerable from version n and you have a fork of x with version >= n, then this vulnerability would still show up.
BebeSparkelSparkel
commented
6 months ago Something like that. If using git, you could look to see if the error is in the history without the fix commit.
I may be incorrect with the following, but if the fork also increments the version numbers it could be hard to tell if the fix has been added.
MangoIV
commented
6 months ago Yes, it appears. Perhaps we could add a warning like “this dependency is included in your project a fork, take extra care”
BebeSparkelSparkel
commented
6 months ago That's a good start.
MangoIV
commented
6 months ago I think I will make this part of a larger task that I’m imagining to also suggest updating outdated dependencies, I think that’s a good fit.
BebeSparkelSparkel
commented
6 months ago Many will want a flag to disable that option.
It would be helpful to have some insights to forked packages listed in the cabal.project file and if that fork has unresolved vulnerabilities.