haskell / security-advisories

https://haskell.github.io/security-advisories/
Other
45 stars 18 forks source link

GitHub Dependabot support for Haskell packages #205

Open frasertweedale opened 5 months ago

frasertweedale commented 5 months ago

Story

As a haskell developer (who uses GitHub), I want Dependabot to support Haskell, so that when new versions fix security issues, Dependabot will automatically create PRs that bump the version bounds.

Further discussion

For some languages, dependabot only works on lock/freeze files.

In Haskell land, some projects have a freeze file committed to the repo, and some do not.

IF it is easier to tackle the freeze file scenario first, that is fine. Do the easy thing and deliver value for some users, then tackle the harder problem.

frasertweedale commented 5 months ago

Articles and tools that may be helpful:

unorsk commented 5 months ago

According to GH people they no longer accept 'new' ecosystems as mentioned here and in the mean time they have been working on something that hasn't been crystallized yet

frasertweedale commented 5 months ago

Maybe we should focus on Renovate instead? https://github.com/renovatebot/renovate/issues/8187