Fomantic-UI icon indicating copy to clipboard operation
Fomantic-UI copied to clipboard

Published 20 hours ago verified publisher icon fomantic

chore(deps): Included dependency review

Open naveensrinivasan opened this issue 3 years ago • 2 comments

Dependency Review GitHub Action in your repository to enforce dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository.

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement Signed-off-by: naveensrinivasan [email protected]

naveensrinivasan avatar Apr 28 '22 14:04 naveensrinivasan

Thanks for making PR.

I am fine with having this kind of tools for FUI repo. I agree with lubber that FUI repo enable this tools when it graduates beta, since FUI repo is not an appropriate repo for beta test, I think.

FUI repo uses many npm dependencies for build and CI/CD, but a few for UI modules. Chances of introducing new dependencies or updating manually are less likely compared to other OSS repos. If dependabot creates PR for vulnerability reason, PR contains information about vulnerabilility. So, I think we may not find any issue nor feature request for the tool during beta phase.

exoego avatar Apr 29 '22 21:04 exoego

Just an FYI there is a v1 release https://github.com/actions/dependency-review-action/releases/tag/v1

naveensrinivasan avatar May 16 '22 19:05 naveensrinivasan