hngopher.com

       [HN Gopher] We use Dependabot to secure GitHub
       ___________________________________________________________________
        
       We use Dependabot to secure GitHub
        
       Author : todsacerdoti
       Score  : 7 points
       Date   : 2022-05-25 22:23 UTC (37 minutes ago)
        
 (HTM) web link (github.blog)
 (TXT) w3m dump (github.blog)
        
       | CaliforniaKarl wrote:
       | I very much appreciate Dependabot! I like how it can pick up
       | dependencies in interesting places.
       | 
       | For example, the Globus @ Stanford web site
       | (https://globus.stanford.edu) uses GitHub Pages (repo at
       | https://github.com/stanford-rc/globus.stanford.edu). I have a
       | Gemfile in the repo: When I want to test changes locally, I use
       | Bundler to install everything I need, and to launch Jekyll. Even
       | though the Gemfile isn't used 'in production', Dependabot still
       | warns me, so that I don't run older, vulnerable software on my
       | laptop.
       | 
       | At the same time, I can't be sure if Dependabot is picking up
       | dependencies for my Python project.
       | 
       | In my latest project (https://github.com/stanford-rc/globus-
       | group-manager), I'm using pyproject.toml to hold all of the
       | Python dependencies for the project, something that Setuptools is
       | now supporting experimentally (woot!). I've configured
       | Dependabot, and it has picked up my repo's `pyproject.toml` file,
       | but I can't tell if it has actually cataloged my Python
       | dependencies.
       | 
       | Looking around the web also does not give me a clear answer. For
       | example, https://github.com/dependabot/feedback/issues/57 is
       | titled "pyproject.toml support", but it refers specifically to
       | Poetry (and indeed, Poetry v1 is listed as supported at
       | https://docs.github.com/en/code-security/dependabot/dependab...).
       | But Setuptools is not.
       | 
       | https://github.community/t//2576 asks about Setuptools support,
       | and has been pretty dormant. I thought setup.cfg was supported
       | after https://github.com/dependabot/dependabot-core/pull/3423,
       | but another project of mine (https://github.com/stanford-rc/mais-
       | apis-python/network/depe...) doesn't show anything for setup.cfg.
       | 
       | To be clear, I am very glad that Dependabot exists! I'm also glad
       | to see it being used heavily inside GitHub. I hope this helps
       | Dependabot expand to include more coverage for new and existing
       | ecosystems.
        
       ___________________________________________________________________
       (page generated 2022-05-25 23:01 UTC)