Closed therealnb closed 3 months ago
Hi @lukehinds and @therealnb !
Some initial comments and observations:
I'll make some other suggestions and feedback inline in the PR
@jonjanego thanks for the feedback.
+/- is whether the file was added or removed. The next symbol is whether this is a good idea or not. Basically, removing any file is safe (green tick). Adding one with a score lower than the configured levels might get a warning or a cross.
I did consider only showing files that were added, but it might be useful context to show the ones that are removed too (i.e. removing a high scoring one and replacing it with a low scoring one). I am open to suggestions here.
I'll work on your other comments.
Cheers
@jonjanego thanks for the feedback.
+/- is whether the file was added or removed. The next symbol is whether this is a good idea or not. Basically, removing any file is safe (green tick). Adding one with a score lower than the configured levels might get a warning or a cross.
I did consider only showing files that were added, but it might be useful context to show the ones that are removed too (i.e. removing a high scoring one and replacing it with a low scoring one). I am open to suggestions here.
I'll work on your other comments.
Cheers
thanks for the clarification. i think it's fine to include that, but a bit of UX feedback would be to split that information into two separate columns. it's a cleaner view that way.
I just saw your comment after I committed this code https://github.com/StacklokLabs/trusty-dependency-review-action/commit/73dc7069e288507216620f8c7fe55dc495dc637a Which is another way to do it.
See https://github.com/StacklokLabs/DepRevTest/actions/runs/9131982560?pr=5 for an example.
If you want I can revert and we can have two columns. Let me know.
For information these ones
Dependency Change | Version | Score | Not Malicious | Not Deprecated | Not Archived | |
---|---|---|---|---|---|---|
❌ added bugsnagmw | 1.0.3 | 0 | ❌ | ✅ | ✅ | |
⚠️ added psycopg | 3.1.18 | ✅ | ✅ | ✅ | 503 Service Unavailable | |
⚠️ added psycopg_pool | 3.2.1 | ✅ | ✅ | ✅ | 200 failed | |
⚠️ added pyarrow | 16.0.0 | ✅ | ✅ | ✅ | 503 Service Unavailable | |
⚠️ added python_json_logger | 2.0.7 | ✅ | ✅ | ✅ | 200 failed | |
⚠️ added scikit_learn | 1.4.2 | ✅ | ✅ | ✅ | 200 failed | |
⚠️ added slack_sdk | 3.27.1 | ✅ | ✅ | ✅ | 200 failed |
Are a bug I found in our ingestion. There is a fix for those that should be deployed next week.
Hi, as discussed with @lukehinds we are going to close this PR.
This is some work to include trusty scores in the dependency review action.
There are some more unit tests and this has been manually tested with https://github.com/StacklokLabs/DepRevTest/actions.
Many thanks.
CC @lukehinds