Fork me on GitHub
Cora (she/her)04:09:23

is there a way to view deps with lein-ring activated? it injects so many dependencies that you don't see in lein deps :tree, dependencies that are wildly out of date and have a bunch of CVEs, and which you can't even audit except by watching what maven downloads when you go to use it


Maybe lein deps :plugin-tree ?

Cora (she/her)04:09:17

that has 6 direct CVEs and 2 indirect CVEs attached to it

Cora (she/her)04:09:54

I don't know what the solution is here other than to just not use lein-ring

Cora (she/her)04:09:19

(which isn't even hard to not use, but I want to be able to demonstrate the ancient deps to others)

Cora (she/her)04:09:09

only when lein-ring is activated do you get all of these deps included, but you can't see them when you run lein deps :tree

Cora (she/her)04:09:55

this seems like a really bad deal and it seems like a fairly widely used library

Cora (she/her)04:09:35


Cora (she/her)04:09:42

"12,040 This Version"


How to let leiningen ignore ssl errors.


we cannot know without a better description :) do any of these faqs help?


I am working behind ntlm proxy. It throws ssl errors because the proxy intercepts requests


yeah but "errors" is not precise, we need a message, stacktrace, etc


Ok. How do I enable verbose logging


DEBUG=true lein foo


you should copy and paste the whole stacktrace


I cannot post from my laptop. Posting pic


I am trying to do lein repl in lein source repo


did you go over the FAQ linked to earlier?


Yes, they don't have much of a solution. npm has strict-ssl false setting. I wish I can do it with leiningen


yeah, I think that generally you cannot bypass SSL in Java. maybe you can remove the default :repositories and use unencrypted HTTP ones instead? e.g. then you'd enable HTTP as suggested in the faq


Tx. Is there insecure clojars as well?