Closed NicolaLS closed 1 year ago
Though from time to time we should run nix flake lock --update-input advisory-db
to update the locked advisory db.
Though from time to time we should run
nix flake lock --update-input advisory-db
to update the locked advisory db.
oh ok did not see that
Though from time to time we should run
nix flake lock --update-input advisory-db
to update the locked advisory db.
can we automate this ? also I don't think we should fail CI for someone opening a PR because a vulnerability was found in an older dep..maybe it would make sense to remove it from nix and put it in daily with actions-rs/audit-check@v1
..?
can we automate this ? also I don't think we should fail CI for someone opening a PR because a vulnerability was found in an older dep
Seems valuable to me, but we can deal with it if it ever happens.
can we automate this
Would be great if we could teach dependabot to do it for us. :)
if we don't update the advisory-db
every time CI runs it does not make sense to have it there. If we do CI will block development just because the audit failed even if its unrelated to the PRs (example)
Running this daily makes us aware of problems but doesn't block anything
Base: 60.30% // Head: 60.23% // Decreases project coverage by -0.07%
:warning:
Coverage data is based on head (
15d33a2
) compared to base (a05542a
). Patch has no changes to coverable lines.
:umbrella: View full report at Codecov.
:loudspeaker: Do you have feedback about the report comment? Let us know in this issue.
I don't know...
The problem with daily is that people don't pay attention to it. It's been failing for a while now.
Also, with latest advisory db the check is passing failing and I'm waiting for https://github.com/djc/askama/issues/738 to fix it.
eck is passing and I'm wait
why is the check passing ? it should fail until they release a new version and we bump or no ?
why is the check passing ?
Sorry, I didn't had my morning coffee. The check is failing, and we need a new release of this dependency to have a fix.
I'm actually seeing daily failures in my e-mail, it just wasn't highest priority so far to fix. I think it would still be nice to have a check in daily CI that tells you what could use some attention.
cargo audit
is very usefull (install it withcargo install cargo-audit
) we should also add it to the CI on push (if.toml
) changes but now fedimint is not regarded usable anyway so this would just slow down development