what really grinds my gears - people, at large, seem to be amazed about books that teach tutoring-leading-coaching based on industrial age standards (factories that ship identical components for years and optimize the process of building and selling those). and software development feels nothing alike, we don't build the same application every day for 50 times, we have discovered automation years ago. and reading the books, checking their examples about horribly dysfunctional companies. brrrrr!

this is like learning to scuba dive by reading books on how to drive cars.

and on a side note i believe that future is about improving quality, as with our limited resources on the planet we have maxed out the quanitity part a while ago. so learning how to do more stuff isn't what we should be focusing on.

Maybe some more people could let it know the want to use clj commands with Netlify. Used it before with leiningen, it's a great way to deploy open source projects for free. https://github.com/netlify/build-image/pull/289

in the past, i've received a number of security alerts regarding npm-related things for repositories on github -- it seems not too infrequent for them to be flat out wrong. i don't see an obvious way to provide feedback about this to github. it seems like one ought to be able to mark them as "no, that seems wrong", but i haven't yet found a way to do so. any thoughts?

Do you know what organization, software, etc. are creating these security alerts?

well, the advisory itself doesn't seem wrong -- the problem is that github appears to be claiming that it applies to certain repositories...which the advisory does not seem to apply to.

i'm being alerted by github afaict

I would not be surprised if, like a lint checker type tool, there could be false positives in the software (and/or human decisions) involved in generating these messages.

sure, that makes sense -- it just seems silly that there would be no way to provide feedback to "train" their system better 🙂

If there are no links in the messages to who/what generated them, that seems sloppy to me. If there are, try to trace it back and look for problem-reporting places.

here is an example link: https://github.com/advisories/GHSA-4328-8hgf-7wjr

The link you are looking for might not be in the message itself, but only reachable via 1 to 3 clicks from the message.

There is a Github user id right there 🙂

this just seems to be sending me to some general info afaict

sure, but this is like spam

There is also a generic "Contact Github" link at the bottom, which would probably be lumped together with lots of other kinds of questions/concerns.

False positives for a good-intentioned service can look like spam, agreed. I would not be surprised if the source of the messages has good intentions, regardless of how well or poorly they carry them out, but I don't know the source.

sorry, wasn't questioning the intentions here -- i am generally favorable about the idea of being notified of potential security issues. it just seemed so wrong in this case (and a number of cases in the past) that i start to doubt my conclusion.

Maybe everyone using npm in any way at all in a Github-published project got a link to that, given its widespread applicability?

i thought that could be the case, but there is some indication that the decision was based on a particular yarn.lock file -- when i look in the yarn.lock file, the npm version is clearly greater than the vulnerable version mentioned in the advisory

3 npm vulnerabilities found in yarn.lock 2 days ago

i haven't touched this repository in quite some time

so afaik, nothing has changed in it

New vulnerabilities can be discovered in unchanged software, whenever. I am not saying I know your code is subject to the reported vulnerability, just that you don't need to change it to be vulnerable.

Anyway, sorry, all I have is generic advice, not based on experience with these messages. If worst comes to worst, you can use your email filtering capabilities to redirect them all into a folder that doesn't hit your inbox.

yes, i am familiar with that phenomena (vulns being discovered in unchanging software) 🙂 it's just that the numbers don't agree in this case

np, appreciate the joint-processing 🙂

I have been getting this GitHub security alerts for a while now, recently, more frequently. They usually suggest a bump version and it works when i update to the suggested version. I found the dependabot bot very helpful, it upgrades and closes the issue.

it's good to hear it's helping some people at least 🙂

I haven't tested it on cljs projects with node plugins, but it seems to be working well with pure NodeJs projects i guess.

Did you try to update to the suggested version (Even if your version was greater than the mentioned version)? 😁

no -- i'm not really inclined to change a version for something just to match an advisory if what i had was working and supposedly not vulnerable.

Do yarn audit and/or npm audit also claim no vulnerabilities?

yarn audit was the first thing i tried -- and it said 0 vulns.

I get those alerts too, on the Ruby-based source of several websites that are powered by (an old version of) Octopress.