I have a couple of improvements to clojars-web. 1. simplify deps.edn to always apply CVE fixes automatically https://github.com/clojars/clojars-web/pull/906 2. improve clj-kondo linting to copy configs and linting info from deps https://github.com/clojars/clojars-web/pull/905 I also have automatic weekly dependabot vulnerability scanning in a separate branch. Any interest in that? I saw nvd-clojure is used but I'm not sure if that's running regularly.
Thanks Ambrose! I'll take a look at those PRs now. > I also have automatic weekly dependabot vulnerability scanning in a separate branch. Any interest in that? I saw nvd-clojure is used but I'm not sure if that's running regularly. I run nvd-clojure manually, and haven't used dependabot with Clojure (last time I looked at it Clojure wasn't supported). I would be interested in seeing how it works.
Here's the basic idea https://github.com/frenchy64/dependabot-clojure-cli-via-mvn You commit a pom.xml to the repo and point dependabot to it. Then your CI build ensures it's always up-to-date by failing the build if it's out-of-date. Here's it working on clojars-web: https://github.com/frenchy64/clojars-web/pull/7/files That PR has the -:defaults and clj-kondo changes too, the dependabot-related stuff is: • dependabot/pom.xml (generated) • bin/check-dependabot (run during CI to ensure pom.xml <=> deps.edn) • bin/sync-dependabot (run locally to refresh pom.xml) • .github/dependabot.yml (dependabot config)
With the committed pom.xml, a https://github.com/frenchy64/clojars-web/network/dependencies and security alerts are reported here https://github.com/frenchy64/clojars-web/security/dependabot
It's only readable for maintainers, but this was a snakeyaml alert that was already dismissed by the nvd config, which I just manually dismissed on the github interface https://github.com/frenchy64/clojars-web/security/dependabot/1
I personally like having the dependency tree/list committed to the repo, so that is also demoed here: • dependabot/deps-list.txt • dependabot/deps-tree.txt Very nice for auditing deps PRs, because they are also validated by the build.
Thanks Ambrose! I've merged it; we'll see how it goes.
This is pretty slick! Yes, I think this would be good to have for clojars-web.