pinkforest(she/her)

Also re: that pipe - Think it would need to read stderr for debug if it's crashing ? The stdout would not capture anything if the runner process just panic'd...

If you look at the PR it removed the whole advisory file that was allocated ID previously Something out there should enforce that withdrawn field is used and no advisories...

Don't think we need a separate license field ? I mean we could just say source = ["database", ..] .. and then that source triggers both license (if req.) and...

`origin = ["database", .. ]` then ? EDIT: Yes source as-of-now makes sense so we can use origin instead - I just had to have a nit :woman_shrugging:

Yeah that makes sense, even when it says registry+ so it provides the extendable meta format that aligns with the .lock as you say Anyways can we agree on `origin...

> (Advisory writers themselves needn't type these field names, right?) They do. Nonetheless we are not Java and we are not complicating WithLongerFieldThatCouldHaveBeenPerfectlyShortName despite being supposedly more descriptive. Advisory is...

Two things .. or three .. or four .. depending on how one reads it :thinking: ## Long field names with - Long field names especially with `-` are prone...

Very different animal tho - whitelisting is quite involved way to do it imo for the problem with transient deps ? I mean they all need bumping.. eventually ... it's...

Could be also nice to include more examples of various advisories e.g. "what looks good" or just plain templates as people don't seem to figure that unmaintained category exists :)...

It wouldn't be manual annotation as assign-id's would do that field Serial numbers are by year and I wouldn't know whether 2021-0123 comes earlier than 2022-0004 without looking at commit...