Closed klappradla closed 3 years ago
pmeinhardt
commented
3 years ago I've never had this specific case, but then usually - if there is a CVE in one of the packages we use in a project - I usually just create a more general "Update package dependencies" PR. if people (you) are missing this feature though and the advisory pages are somewhat stable (which I guess they are by now), then I don't see why we shouldn't support it if anybody wants to whip up a PR. 🙂
klappradla
commented
3 years ago Thought about it and potential use cases a bit more (I simply dumped it here as a wild idea). I'd now say it's a too narrow/edgy use case not worth opening the scope of Tickety Tick to things different than actual "tickets".
Your point about creating a separate ticket for updating dependencies kinda made the "click": it's pretty rare that something can be patched by updating a single dependency. In most cases it's updating the framework or a few more. For the rare cases where it's possible, the job can be done by Dependabot alone.
In the example I gave above, I actually patched two security vulnerabilities by updating the same dependency 🤷.
Still, good to have taken the 🧠roundtrip on this 😉
Dependabot is a nice robot, but sometimes the situation / dependencies are just too deeply wrangled into each other to update something without a human pair of eyes on the situation. I personally then usually draft a PR based on the information for Github's advisory database 🚜
Taking for instance GHSA-8hc4-xxm3-5ppp, I come up with this Git game:
chore/cve-2021-22880commit:
Was just wondering if this is a regular use case and if it therefore would make sense to extend the Github adapter to also be able to read/parse these pages? What do you think?