Closed solvaholic closed 3 years ago
Hey @solvaholic,
good job on this one. If I may comment on one thing:
I understand what you're trying to do with Dependabot and vulnerability scanning but I believe you're making your life harder than what it needs to be. octodns
's requirements file is part of upstream project, so it and it's security concerns should be the responsibility of upstream developers.
Keeping track of upstream dependency changes in your own project will get quite cumbersome over time (you seem to have missed fqdn==1.5.0
).
Hi @barnumbirr 👋 Thank you! And thanks for bringing this up:
I understand what you're trying to do with Dependabot and vulnerability scanning but I believe you're making your life harder than what it needs to be.
octodns
's requirements file is part of upstream project, so it and it's security concerns should be the responsibility of upstream developers.
I'm hoping to use Dependabot to notice when octodns
has a new release and to simplify the process of bumping that version in octodns-sync
.
While I don't plan to address octodns
's vulnerabilities directly in octodns-sync
, I'd like to notice them - and to make them visible to octodns-sync
users who record this project as a dependency.
Keeping track of upstream dependency changes in your own project will get quite cumbersome over time (you seem to have missed
fqdn==1.5.0
).
The fqdn
requirement is relatively new, from https://github.com/octodns/octodns/pull/631. I expect it'll roll up into the next release. That will make a visible test of the automation 🤞
I haven't used Dependabot or the vulnerability alerts before, so I'm prepared to change my mind once I see how they work. The tooling needs to make octodns-sync
simpler to manage, definitely not harder.
I'm hoping to use Dependabot to notice when
octodns
has a new release and to simplify the process of bumping that version inoctodns-sync
.While I don't plan to address
octodns
's vulnerabilities directly inoctodns-sync
, I'd like to notice them - and to make them visible tooctodns-sync
users who record this project as a dependency.
I see your point. Guess you're right in giving it a go, let's see how it pans out.
If that Dependabot config (32755cf) works out OK I'd like to add these as well:
# Maintain dependencies for Docker images
- package-ecosystem: "docker"
directory: "/"
schedule:
interval: "weekly"
day: "friday"
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "friday"
The dependency graph definitely got noisy. Dependabot seems to have only checked octodns
, though, so 👍
When exploring @barnumbirr suggestion in #22 to use PyPI, I realized I'd like to log all of octodns-sync dependencies in requirements.txt. That'd enable Dependabot and vulnerability scanning.
So I made the new requirements.txt like this:
Building the contents that way removed this requirement:
Installing with
pip
means the image does not need Git, so that's out - which shrank the image by about 80MB 🎉(That's a 22% reduction, which I hope will be reflected in the the runners'
docker pull
times.)