search

nccgroup / sobelow

Security-focused static analysis for the Phoenix Framework
Apache License 2.0
1.66k stars 92 forks source link

Update dependencies #112

Closed fastjames closed 1 year ago

fastjames commented 2 years ago

Update library dependencies, and update the CI version matrix for newer elixir/OTP versions.

fastjames commented 1 year ago

I have updated the test matrix for erlang/OTP 25.1 and elixir 1.14.x.

houllette commented 1 year ago

This is great! It might be more prudent / safer to make the code changes in sobelow.ex and parse.ex in a separate MR though (unless I'm just being silly and the change from if not(function) in to if function not in is because of a deprecation I'm just spacing on)

Side note: I think in the time that it took us to review this, there may be more dependencies outdated / the ones bumped in your changes aren't the latest. So those will probably want to be modified before merging this in. Additionally we may want to just bump :jason and :ex_doc in the mix.exs file while we're at it.

fastjames commented 1 year ago

This is great! It might be more prudent / safer to make the code changes in sobelow.ex and parse.ex in a separate MR though (unless I'm just being silly and the change from if not(function) in to if function not in is because of a deprecation I'm just spacing on)

Side note: I think in the time that it took us to review this, there may be more dependencies outdated / the ones bumped in your changes aren't the latest. So those will probably want to be modified before merging this in. Additionally we may want to just bump :jason and :ex_doc in the mix.exs file while we're at it.

I completely agree about making sure the updates are themselves up to date. :-) Also, if any one library update is more than just editing the mix.exs I'm fine with splitting it into its own PR.

houllette commented 1 year ago

(unless I'm just being silly and the change from if not(function) in to if function not in is because of a deprecation I'm just spacing on)

As an update to myself - turns out I was being silly and Elixir 1.4 doesn't support if function not in and --check-formatted on all versions after 1.4 complain unless it's in that form.

It's for that reason that I'm also bumping up the minimum supported version of Elixir for Sobelow to 1.5 as part of this PR.