Post Ai8EdLWAdlQIak93ce by craigbro@emacs.ch
 (DIR) More posts by craigbro@emacs.ch
 (DIR) Post #Ai8EdLWAdlQIak93ce by craigbro@emacs.ch
       2024-05-21T22:24:06Z
       
       0 likes, 1 repeats
       
       Recent CVE in #git allowing RCE when cloning a repo, see https://github.com/git/git/security/advisories/GHSA-8h77-4q3w-gfgvNote it says, "As always, it is best to avoid cloning repositories from untrusted sources."Now consider how many languages will clone a repo of a transitive dependency, or direct dependency at time of dep resolution -- often before any dep analysis/presentation tools could give you a means to evaluate the transitive git deps.Like #clojure, one of my favorites.  I have not review dep resolution/fetch code in other languages, but it seems that they should all heed the advice in that advisory.