Comment on How do you keep track of vulnerabilities?
just_another_person@lemmy.world 5 weeks agoThis is a bad idea for a number of reasons. Most obvious issue is that it doesn’t guarantee anything in the way of actually fixing vulnerabilities, because some project you use may not even be scanning their own work.
eager_eagle@lemmy.world 5 weeks ago
what’s the alternative? Write a PR yourself?
just_another_person@lemmy.world 5 weeks ago
Yup. Really easy in most cases if you’re just upgrading a dependency version of something to the next minor release up, but then it has to pass all the project CI tests, and get an actual maintainer to tag it for release. That’s how open source works though.
eager_eagle@lemmy.world 5 weeks ago
That may work for a handful of projects. It’d be my full time job if I did it for everything I run. Also, I might simply suggest maintainers to adopt dependabot or an alternative before I spend time with manual changes. These things should be automated.
just_another_person@lemmy.world 5 weeks ago
Well a PR means an upstream fix for the project. If you want to scan all your local running things, by all means change whatever you want, but it will just be potentially wiped out by the tool you mentioned if running.