Fork me on GitHub
myguidingstar04:05:38 now use nix package manager to build REPL sandbox environments

👍 3

(Clojure is among the very first demos there)

🎉 6
❤️ 3

I’ve got this super weird PR on a repo of mine: Some bot involved and someone I have no clue who it is filing the PR. Is it some new way to advertise your services to have bots roaming around Github and “fixing” things?


Not sure who put your repo in their list


Next step from bots reporting on vulnerabilities


I guess it can be quite usable. But super weird to get a PR like that without context.


I would verify that the change to the package.json file does, indeed, result in the same package-lock.json file that's in the PR


It's trivial to update a library in your package file which changes the lock file, and then they put in a couple extra dependencies in the lockfile by hand, hoping you won't inspect it @U0ETXRFEW


that github user looks rather suspicious. The user has created lots of random PRs/comments to dozens if not hundreds of repos. I wouldn't be suprised if it was a bot or some machine learning thing submitting random stuff to github for some reason. Then again, there are a lot of interesting people online so you never know, perhaps there is no malicious intent behind this..


I should bump a lot stuff in that repository. Not going to pull that PR though, whatever the intent. 😃


It looks like a personal GitHub account that created it, according to profile of the GitHub user id


Snyk is software to identify versions of dependencies with security issues, if I recall correctly. The user probably scanned your code using snyk, it reported some warnings or issues, and this person thought you might want to make these changes


The project.clj change looks really strange though.


Which looks even more like a relatively new coder making the change to me, rather than a bot

Alex Miller (Clojure team)15:05:14

snyk will notify you if you are using a dep that leads to a known vulnerability

Alex Miller (Clojure team)15:05:27

which may lead someone to make a pr to fix it


Sounds very plausible


Snyk might even suggest a pr fix in some cases I think.