Fork me on GitHub

Thanks for the contribution @borkdude — solidifying/documenting the Docker setup gets us much closer to being able to offer something that people can plug into their CI flows 🙂


Hi, I'm wondering if having checks on project dependencies would be overreaching for cljdoc. Last week I ran dependency-check-maven on some libraries and had some positive (as in vulnerabilities present). I would love to have someplace running those automatically without project owners having to do the setup (like cljdoc) but that only have anything to do with documentation by stretching the concept (knowing vulnerabilities is a form documentation relevant for project users).


@mynomoto as much as I'd love such a tool to exist for the Clojure community I don't think cljdoc is in a better position to solve this than anyone else. GitHub recently announced some more stuff coming in that direction as well (they acquired


Also, per Alex's comments, dependency-check-maven can give false positives so I'm not sure baking that into generated docs is a good idea: it may give the (incorrect) idea that a library is "not safe" when, in fact, there is no real vulnerability.


@seancorfield My experience is really different from his. Seem like every thing reported was accurate. As any tool is about trade-offs. I'm not suggesting placing incorrect warnings on docs, but having someplace where these reports could be available and currently cljdoc and clojars are the ones that come to mind as dealing with lots of clojure projects.


@martinklepsch fair enough, I thought that was a stretch but worth to ask 😉


@martinklepsch Also dependabot seems to solve the problem as long as there is a generated pom.xml so one will have to do that and pretend that it is a java project or to find a way for clojure to be supported. Thanks for that pointer.


Greenkeeper is another project operating in this space. Maybe they have better support for Clojure