Fork me on GitHub
Slack Archive

This page is not created by, affiliated with, or supported by Slack Technologies, Inc.

2021-05-25

Channels

#off-topic
<
2021-05-25
>
myguidingstar04:05:38

http://REPL.it now use nix package manager to build REPL sandbox environments https://blog.replit.com/nix

👍 3
myguidingstar04:05:00

(Clojure is among the very first demos there)

🎉 6
❀ 3
pez15:05:36

I’ve got this super weird PR on a repo of mine: https://github.com/PEZ/rn-rf-shadow/pull/21 Some http://snyk.io bot involved and someone I have no clue who it is filing the PR. Is it some new way to advertise your services to have bots roaming around Github and “fixing” things?

emil0r15:05:22

Not sure who put your repo in their list

emil0r15:05:50

Next step from bots reporting on vulnerabilities

pez15:05:45

I guess it can be quite usable. But super weird to get a PR like that without context.

futuro15:05:14

I would verify that the change to the package.json file does, indeed, result in the same package-lock.json file that's in the PR

futuro15:05:10

It's trivial to update a library in your package file which changes the lock file, and then they put in a couple extra dependencies in the lockfile by hand, hoping you won't inspect it @U0ETXRFEW

lassemaatta15:05:36

that github user looks rather suspicious. The user has created lots of random PRs/comments to dozens if not hundreds of repos. I wouldn't be suprised if it was a bot or some machine learning thing submitting random stuff to github for some reason. Then again, there are a lot of interesting people online so you never know, perhaps there is no malicious intent behind this..

pez15:05:16

I should bump a lot stuff in that repository. Not going to pull that PR though, whatever the intent. 😃

andy.fingerhut15:05:40

It looks like a personal GitHub account that created it, according to profile of the GitHub user id

andy.fingerhut15:05:53

Snyk is software to identify versions of dependencies with security issues, if I recall correctly. The user probably scanned your code using snyk, it reported some warnings or issues, and this person thought you might want to make these changes

p-himik15:05:41

The project.clj change looks really strange though.

andy.fingerhut15:05:48

Which looks even more like a relatively new coder making the change to me, rather than a bot

Alex Miller (Clojure team)15:05:14

snyk will notify you if you are using a dep that leads to a known vulnerability

Alex Miller (Clojure team)15:05:27

which may lead someone to make a pr to fix it

emil0r15:05:48

Sounds very plausible

gklijs20:05:36

Snyk might even suggest a pr fix in some cases I think.