scala-steward icon indicating copy to clipboard operation
scala-steward copied to clipboard

Published 20 hours ago verified publisher icon scala-steward-org

Updates based on dependency security alerts

Open paualarco opened this issue 1 year ago • 3 comments

Hello!

It would be lovely if scala-steward was able to update dependencies related to vulnerability alerts.

Is this a feasible feature? Would you consider adding it to this project? If so, I would be interested in contributing! I am very open to hear ideas/suggestions.

My idea is that we could maybe allow to pass this as an argument. The vulnerability alerts could dynamically be parsed from the github api dependabot alerts endpoint and then force the update to a non affected version.

paualarco avatar Oct 17 '24 20:10 paualarco

Do I understand the idea correctly and it is the same as #535 ?

mzuehlke avatar Oct 18 '24 10:10 mzuehlke

Yes, it overlaps. Although idea was not to flag updates related to vulnerability but allow to only update dependencies based on security alerts. But probably we could close this one and keep the discussion on other issue you linked.

paualarco avatar Oct 19 '24 07:10 paualarco

Got it ! Both ideas make sense 👍

mzuehlke avatar Oct 19 '24 08:10 mzuehlke