Lane Seppala

icon company GitHub icon location Boulder, Colorado icon location Optional typing is like clothing-optional: there's usually not a lot of coverage

Results 6 comments of Lane Seppala

Maven dependency not being update from a private repo

It looks like this issue has been open for a while and we’ve made a bunch of improvements to Dependabot since, including better support for private registries. Is this still...

composer - prevent updating unnecessary dependencies - ability to set `setWhitelistTransitiveDependencies(false)`

From https://github.com/dependabot/dependabot-core/issues/2588#issuecomment-983145952: > Yes, it seems to be the case that Dependabot updates a dependency with its dependencies for Composer. Looking at the Composer updater code > https://github.com/dependabot/dependabot-core/blob/5456c0dd3e3c6e2a2dac87d9ebce156e8230fab6/composer/helpers/v2/src/Updater.php#L78-L87 > and...

Support SBOM as a submission format

Definitely agree with the usefulness of the toolkit supporting conversion from an SBOM file to a submission to the API. (We originally considered using one of the SBOM standard formats,...

Support SBOM as a submission format

> But we see one snag, when submitting several sbom's only one of them show up in the dependencies pane @davidkarlsen I'll take a look. A common issue is that...

Allow ability to add attributes to span with otelhttp span

I would like to propose (and will volunteer to contribute) a solution that solves this problem as I understand and have experienced it. ## Problem I want to add a...

GHSA-mjmj-j48q-9wg2 is triggering for snakeyaml-engine but CVE is for just "snakeyaml"

Thanks for the thorough explanation, @cnagadya! To confirm, the issue was that `snakeyaml` was a transitive dependency of `jackson-dataformat-yaml`. However, we do not make it clear in the Dependency Graph...