phylum-dev / cli

Command line interface for the Phylum API
https://phylum.io
GNU General Public License v3.0
103 stars 11 forks source link

Bump dependencies #1297

Closed phylum-bot closed 11 months ago

phylum-bot commented 11 months ago

Bump dependencies for all SemVer-compatible updates.

cd-work commented 11 months ago

Holding out for a potential quick fix from UUID: https://github.com/uuid-rs/uuid/issues/720#issuecomment-1818822653

phylum-io[bot] commented 11 months ago

Phylum OSS Supply Chain Risk Analysis - INCOMPLETE

The analysis contains 1 package(s) Phylum has not yet processed, preventing a complete risk analysis. Phylum is processing these packages currently and should complete soon. Please wait for up to 30 minutes, then re-run the analysis.

View this project in the Phylum UI

kylewillmon commented 11 months ago

Interesting that the Phylum check is still considered a pass even though the new uuid package hasn't been analyzed yet...

maxrake commented 11 months ago

Interesting that the Phylum check is still considered a pass even though the new uuid package hasn't been analyzed yet...

This is the documented behavior:

A comment will be written to the PR if an issue is identified that fails the defined policy. There will be no comment if no dependencies were added or modified for a given PR. If one or more dependencies are still processing (no results available), then the comment will make that clear and the CI job will only fail if dependencies that have completed analysis results do not meet the active policy.

The Phylum GitHub Action works the same way. That behavior was part of the design and intended to keep from blocking CI due to Phylum processing delays. The tradeoff is that users of Phylum in CI/PRs need to maintain some level of discipline in all but the most urgent cases to wait on merging until the analysis results are available.