Hacker News new | ask | show | jobs
by troygoode 4667 days ago
I like the idea of having a centralized repository of these advisories, but I need a better way of watching for changes for this to be effective. I was hoping that the Twitter feed would be that (I would just turn on SMS notification), but the Twitter feed is full of general low-value tweets like "Thanks @espreto for being our 1000th follower!". Perhaps a separate Twitter feed could be created (@nodesecurityadvisories?) that only tweets when new advisories are posted on the site?
1 comments
viraptor 4667 days ago
I think the security checker from Sensio labs is the best approach to this. You can upload your composer file, which is really the list of packages you use and they'll check it against the known reports for various Symfony modules. It's got both the API and its own module with a CLI tool, so you can easily integrate it into monitoring. https://security.sensiolabs.org/

I really wish other projects had something like that (rubygems, pypi, etc.)

link
kibibyte 4667 days ago
There actually does exist one for Ruby. Check out gemcanary https://gemcanary.com/
link
gravis 4666 days ago
and https://gemnasium.com (which supports npm as well)
link