How are we handling sub-dependencies in the white list? #71

ominestre · 2022-04-04T21:55:00Z

If a common shared dependency has as vulnerability that's taking a while to work through the ecosystem what happens when that is whitelisted in rotten-deps? Does the primary dependency still fail?

At minimum this should be elaborated on in the documentation.

The text was updated successfully, but these errors were encountered:

ominestre · 2022-04-12T15:41:35Z

When this question entered my head I was in the process of wrasslin' some yarn audit issues and was mixing up the goal of rotten-deps which is just outdated. It is difficult to determine something like eslint is only outdated because of a sub dependency so this isn't even a scenario I felt worth documenting.

Closing the question.

ominestre added the question Further information is requested label Apr 4, 2022

ominestre self-assigned this Apr 4, 2022

ominestre added this to Triage in Main Project Board via automation Apr 10, 2022

ominestre moved this from Triage to Planned in Main Project Board Apr 10, 2022

ominestre moved this from Planned to Doing in Main Project Board Apr 10, 2022

ominestre closed this as completed Apr 12, 2022

Main Project Board automation moved this from Doing to Done Apr 12, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How are we handling sub-dependencies in the white list? #71

How are we handling sub-dependencies in the white list? #71

ominestre commented Apr 4, 2022

ominestre commented Apr 12, 2022

How are we handling sub-dependencies in the white list? #71

How are we handling sub-dependencies in the white list? #71

Comments

ominestre commented Apr 4, 2022

ominestre commented Apr 12, 2022