Adding a configuration file for checking the composer
dependencies every Thursday. It will open a PR if needed be,
maximum 2 PRs can be opened - every two weeks an action must be
made. Should be possible to cope with.
These changes are part of qualification for the CII Best practices
silver badge.
From the checklist (see "externally maintained components"):
Projects MUST monitor or periodically check their external dependencies (including convenience copies) to detect known vulnerabilities, and fix exploitable vulnerabilities or verify them as unexploitable.
This can be done using an origin analyzer / dependency checking tool / software composition analysis tool such as OWASP's Dependency-Check, Sonatype's Nexus Auditor, Synopsys' Black Duck Software Composition Analysis, and Bundler-audit (for Ruby). Some package managers include mechanisms to do this. It is acceptable if the components' vulnerability cannot be exploited, but this analysis is difficult and it is sometimes easier to simply update or fix the part.
brother
commented
4 years ago
Adding a configuration file for checking the composer dependencies every Thursday. It will open a PR if needed be, maximum 2 PRs can be opened - every two weeks an action must be made. Should be possible to cope with.
These changes are part of qualification for the CII Best practices silver badge.
From the checklist (see "externally maintained components"):