Fork me on GitHub

Does anyone know if it's possible to trick github's Dependabot into scanning vulnerabilities for a Clojure-project if a pom.xml exists? I was thinking that the java-stuff should work 🙂


Currently using DependencyCheck/nvd from a pipeline. Would be cool to use dependabot though


I don't belive that dependabot is a good thing, but you can use clj -X:deps mvn-pom to create a pom file, commit it, then github will do the thing for you. dependabot IMHO has these same issues:


that article severely lacks nuance btw typical "famous twitter guy" syndrome most decent setups decouple dev/test from prod dependencies, if npm doesn't do that by default it's their problem

vemv16:09:45 is a thing btw compatible with deps.edn also

👍 2

IIRC, dependabot doesn’t do transitive deps, so it’s kind’a useless.


We have set up a lein-nvd job which runs nightly and on commits, and lein-nvd does search through the transitive deps as well.

🍻 6

@U45T93RA6 and myself have a friendly argument about the finer details of this 🙂

🥊 2

lein-nvd is the way to go, I tried dependabot and generating a pom.xml does trigger it, but no transitive dependencies detection 😮.


Thanks for the heads-up @U04V5VAUN