Noooo, let’s do it per capita so we can win again!! :flag-dk:

that is the official slack way to poll

Great 🙂

emoji polls are open like maps 🙂

No Ireland???

I love emoji polls. All the default key bindings work!

arrow keys  ;; select post
r           ;; reactions menu
flag no     ;; fuzzy find norwegian flag

The result...

bunch of PRs even better :) for extra cautiousness, you can run said clojure projects' CI with their bumped java dep and see if it's still green

in the meantime you can create an expiring suppression via the xml file. This way you give yourself a reasonable margin for your PRs (or experiments) to complete

I'll admit that sometimes I'll YOLO it and just bump the java dep.

data.priority-map is that a clojure dep?

FP https://github.com/jeremylong/DependencyCheck/issues/4720

It's not clear to me at all how this issue was fixed in data.prioritymap

and how it was an issue

nvd-clojure uses dependencycheck, which sometimes has FPs, that's the issue

ah False Positive, I see

@U45T93RA6 > for extra cautiousness, you can run said clojure projects' CI with their bumped java dep and see if it's still green That was the "deps.edn monkey-patching" I was referring too 😛

just in case, we might not be referring to the same thing: running your project with bumped java deps vs. running a clojure dep with its bumped java dep the latter sounds more forkey than patchey to me ^^

happily, with deps.edn, forking and consuming that fork is super easy

I meant the Java deps.

We run antq (to identify our own outdated deps) and clj-watson (to identify CVEs) regularly and we're pretty aggressive about updates and vulns so I think we're down to just four at the moment, three of which are in Google's libraries with no updates available 😐

> Some of them do not even appear in clj -X:deps tree , yet they still exist as downloaded .JAR files. Sounds odd, because nvd-clojure only accepts a classpath as its input. so if clojure doesn't include a given .jar in its classpath, then nvd-clojure won't possibly analyze it

Doesn't clj -Stree help?

ah it is the same tool

@U45T93RA6 yeah, but nevertheless it is the case

My current state of affairs after updating explicit deps and some of the transitive deps. Of the jars coloured in red, logback, undertow, and xnio do not appear in the deps tree output

(I am just grepping the output using e.g. undertow as a param)

If you file an issue in nvd-clojure I'd be happy to swiftly attend it. I feel like I'm missing some info (which the issue template intends to gather)

Regarding the tree stuff I remember one of them considers aliases, whereas the other doesn't

oh

I think clj -Stree is the one to use

let me try that out

I remember Alex Miller pointing it out somewhere

THAT WAS IT! clj -A:frontend:build -Stree works fine

why do the Clojure CLI tools have to be so confusing

I think it's worth pointing that out to someone on the Clojure team again

yup

https://ask.clojure.org/index.php/10245/clj-x-deps-tree-ignores-sdeps?show=10245#q10245

@U4P4NREBY clojure -X:deps tree :aliases '[:frontend :build]' -- all the -X:deps functions accept :aliases I believe.

When I last did some work with nvd it didn’t exclude its own dependencies

That's why it works with a classpath now

I see you read that RFC lol

😄