Closed seanieb closed 2 years ago
ziirish
commented
2 years ago Hello,
Thanks for your PR! I was about to remove ossaudit as well priori making a new release (in order to make sure all our tests are running as expected) but I'm open to any replacement suggestion :pray:
seanieb
commented
2 years ago The project already has Github Security Advisories, but enabling Githubs Dependabot opens up a pull request each time there's a dependency update. This pull requests have the change notes or a link too them, so it's easy to keep an eye on any that are relevant to this project. It the squashes any future updates into that PR.
For the wider security of the project we also use a static analysis like Semgrep, it's easy to setup and there's lot of existing Semgrep rules that we could just apply. But that can wait for separate PR.
HenriBlacksmith
commented
2 years ago Does this one need more approvals to be merged?
seanieb
commented
2 years ago I'm unable to merge it, black formatting seems to be failing too @ziirish
Proposed changes
ossaudit has lots of flase positives. And there's better ways to address security for depenencies within github.
Types of changes
What types of changes does your code introduce?
Checklist
Put an
xin the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.Further comments
If this is a relatively large or complex change, kick off the discussion by explaining why you chose the solution you did and what alternatives you considered, etc...