Closed cwayne18 closed 1 year ago
tegioz
commented
1 year ago Hi @cwayne18 👋
Yes, that makes sense. CLOMonitor relies on OpenSSF Scorecard for this check, so it'd be great if this was implemented upstream. Otherwise we can extend that check on our end, that'd be another option. BTW they also support Sonatype Lift and PyUp, we need to update our docs 😉
cwayne18
commented
1 year ago Aha yes, somehow I knew but completely had forgotten this would need to go upstream sorry! 🤦
caniszczyk
commented
1 year ago +1 for upstream!
On Wed, Jan 4, 2023 at 4:41 AM Chris Wayne @.***> wrote:
Aha yes, somehow I knew but completely had forgotten this would need to go upstream sorry! 🤦
— Reply to this email directly, view it on GitHub https://github.com/cncf/clomonitor/issues/826#issuecomment-1370824265, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAPSIPIMNVDALKNKTWXM6LWQVOX3ANCNFSM6AAAAAATP56L6Y . You are receiving this because you are subscribed to this thread.Message ID: @.***>
-- Cheers,
Chris Aniszczyk https://aniszczyk.org
tegioz
commented
1 year ago Will close this one for now, please feel free to reopen if needed 🙂
For the dependency update tool check, AFAICS it currently only checks for Dependabot/Renovate, while some projects may be using (updateCLI)[https://updatecli.io/] to do the same kind of automation. Could it make sense to check for updateCLI configs as well?