Hacker News new | ask | show | jobs
by theSIRius 2083 days ago
Isn't this already done by Dependabot[1]? I've been using it for some time with my JS/TS repos to keep my dependencies up-to-date. It's not the greatest as it sends alerts about vulnerabilities in devDependencies. But with automatic merge checks I only get an email that the issue has been fixed so it isn't the worst thing in the world.

[1] https://dependabot.com/
2 comments
greysteil 2083 days ago
PM from GitHub here and author of Dependabot.

It's different.

- Dependabot looks for vulnerabilities in your dependencies, and creates pull requests to update you to fixed versions.

- Code scanning looks for vulnerabilities in your own code. So, for example, if you have written code that takes user input and creates a database instruction from it without escaping it, it will flag that you are introducing an SQL injection vulnerability.

(As an aside, we could definitely improve Dependabot to treat devDependencies differently. You do need to care about vulnerabilities in your devDependencies in _some_ cases (code exfiltration is the obvious one) but not in many - we should to get smarter about distinguishing between those cases.)

link
coldpie 2083 days ago
> PM from GitHub here

Hey totally off topic sorry. Can you get someone to turn off pull-requests for the unofficial mirrors that you guys created for some open source projects? Users are being mislead into thinking opening PRs there is productive, but they're not monitored by our project and we don't own the repo anyway. https://github.com/wine-mirror/wine/pulls

I've tried contacting your support, but they just tell me that they don't own the repo, which is obviously false[1]. I don't know who to reach out to.

[1] https://github.community/t/how-is-the-mirrored-from-annotati...

link
greysteil 2083 days ago
I had no idea that we do that, but I can try to hunt it down internally for you. Ping me an email - greysteil@github.com.
link
oefrha 2083 days ago
You may take a page from FFmpeg: https://github.com/FFmpeg/FFmpeg/pulls (although currently open PRs probably need to be closed somehow for that to be effective).
link
coldpie 2083 days ago
Apparently that doesn't work much better: https://github.com/FFmpeg/FFmpeg/pulls?q=is%3Apr+is%3Aclosed Regardless, it's kind of crappy that we have to clean up after GitHub's mess.
link
theSIRius 2083 days ago
Thanks, that makes sense and I probably should have looked into the article properly.

I'm not sure, how easy it will be to filter the devDependencies. Maybe scan for config files (webpack, babel...) would be a good alternative to manually tag each npm package.

link
ypeter 2083 days ago
No, Dependabot scans your repo on dependencies that have known vulnerabilities and suggests to update those dependencies.

This new GitHub feature will scan your code on potential vulnerabilities like SQL injection.

link
greysteil 2083 days ago
Wow, jinx, this is pretty much identical to the answer I just wrote!
link