-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can this be integrated into Github's Dependabot? #3
Comments
This is a great idea and should definitely be one of our milestones. Here's how it works: Dependabot is a part of the Github Advisory Database. Github pulls data from the security database of several open source languages like Python, Ruby, Rust and JavaScript and issue their own "GHSA-id" to each of them. Then Dependabot reads that data and searches through Github for projects relying on a vulnerable version, making an auto PR that bumps them up. Perl, unsurprisingly, is not supported. YET! 😈 While it is tempting to simply open an issue on their repo asking them to support CPAN, I rather we set things up properly on our end so adding CPAN is so easy they see no point in not doing so. So here's my proposed steps to reach that milestone and get into Github's advisory database and Dependabot (and increasing the overall security and awareness of Perl/CPAN's ecosystem):
What do you all think? Looks like we have a lot of work ahead of us! |
LGTM! |
https://github.com/dependabot sends PRs to repos to bump dependencies. I have no idea how it works though.
The text was updated successfully, but these errors were encountered: