Fork me on GitHub
#web-security
<
2021-12-23
>
seancorfield18:12:27

@vemv I know the readme says to install it as a tool with {:mvn/version "RELEASE"} but it may be worth pointing out that installs whatever is the current Clojars release at the time and does not update it (normally, an alias that uses "RELEASE" will get updated versions over time, so that might catch people out). Also, as I mentioned before, that approach doesn't use the :tools/usage key in deps.edn so there's no default namespace so you have to say nvd.task/check. I prefer to install the tool from the tag instead -- {:git/tag "2.0.0"} -- which installs the exact same version as the :mvn/version except checks it out from source instead of using the JAR from Clojars, and then you can just say check because :tools/usage is respected in deps.edn for a git dependency.

vemv18:12:53

I don't particularly remember why RELEASE is there, all other examples use a fixed version which I update whenever cut a new release of nvd-clojure. Can change.

seancorfield18:12:07

Well, if you are going to change it to a fixed version, maybe change from :mvn/version to :git/tag and let folks use the shorter invocation without nvd.task/ ?

vemv18:12:03

I think that knowledgeable folks can tweak commands as they wish (which, for better of worse, already happened in various other areas). Other than that, it's not a particularly productive use of time to repeat a topic already touched at PR review time

seancorfield18:12:52

(my dot-clojure repo includes nvd-clojure as a tool, and uses the git dep approach -- clojure -Tnvd nvd.task/check ... still works with that, but you can omit nvd.task/ if you want)

seancorfield18:12:48

My dot-clojure repo has this usage note: Note: if you install nvd-clojure yourself, following the instructions on the repo, you'll use the Maven (Clojars) coordinates and that will not have :tools/usage so you'll need to use nvd.task/check instead of just check.