clojars

2025-06-10T00:29:19.109979Z

I have a couple of improvements to clojars-web. 1. simplify deps.edn to always apply CVE fixes automatically https://github.com/clojars/clojars-web/pull/906 2. improve clj-kondo linting to copy configs and linting info from deps https://github.com/clojars/clojars-web/pull/905 I also have automatic weekly dependabot vulnerability scanning in a separate branch. Any interest in that? I saw nvd-clojure is used but I'm not sure if that's running regularly.

🚀 2
2025-06-10T11:12:48.694519Z

Thanks Ambrose! I'll take a look at those PRs now. > I also have automatic weekly dependabot vulnerability scanning in a separate branch. Any interest in that? I saw nvd-clojure is used but I'm not sure if that's running regularly. I run nvd-clojure manually, and haven't used dependabot with Clojure (last time I looked at it Clojure wasn't supported). I would be interested in seeing how it works.

2025-06-10T15:51:09.144289Z

Here's the basic idea https://github.com/frenchy64/dependabot-clojure-cli-via-mvn You commit a pom.xml to the repo and point dependabot to it. Then your CI build ensures it's always up-to-date by failing the build if it's out-of-date. Here's it working on clojars-web: https://github.com/frenchy64/clojars-web/pull/7/files That PR has the -:defaults and clj-kondo changes too, the dependabot-related stuff is: • dependabot/pom.xml (generated) • bin/check-dependabot (run during CI to ensure pom.xml <=> deps.edn) • bin/sync-dependabot (run locally to refresh pom.xml) • .github/dependabot.yml (dependabot config)

2025-06-10T15:52:55.458979Z

With the committed pom.xml, a https://github.com/frenchy64/clojars-web/network/dependencies and security alerts are reported here https://github.com/frenchy64/clojars-web/security/dependabot

2025-06-10T15:54:07.153919Z

It's only readable for maintainers, but this was a snakeyaml alert that was already dismissed by the nvd config, which I just manually dismissed on the github interface https://github.com/frenchy64/clojars-web/security/dependabot/1

2025-06-10T16:22:22.144789Z

I personally like having the dependency tree/list committed to the repo, so that is also demoed here: • dependabot/deps-list.txt • dependabot/deps-tree.txt Very nice for auditing deps PRs, because they are also validated by the build.

2025-06-22T16:43:35.082599Z

Thanks Ambrose! I've merged it; we'll see how it goes.

2025-06-12T00:07:24.224939Z

This is pretty slick! Yes, I think this would be good to have for clojars-web.

👍 1
2025-06-18T05:04:56.288749Z

Here it is https://github.com/clojars/clojars-web/pull/907