You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think it would be nice if the PackageOverrides config would support matches on the package dependency groups (dev, optional, etc). The simplest solution would be a simple exact match like it is used for name or ecosystem.
Examples:
Ignore a dependency group entirely
This may be useful for projects that don’t care about any issues in a certain dependency group.
Ignore a package only if it is in a certain dependency group
This is useful if vulnerabilities for a package should only be ignored as long as the package is part of a certain dependency group. Example: One might want to ignore a package if it is a dev dependency but it should raise errors if it is a production dependency.
[[PackageOverrides]]
name = "axios"ecosystem = "npm"dependency_group = "dev"ignore = true
Thanks for your work on osv-scanner!
Cheers
The text was updated successfully, but these errors were encountered:
This rewrites the package overrides logic to be composition based,
granting a lot more flexibility:
```
# ignore everything
[[PackageOverrides]]
ignore = true
# ignore everything in this group
[[PackageOverrides]]
group = "dev"
ignore = true
# ignore everything in this ecosystem
[[PackageOverrides]]
ecosystem = "go"
ignore = true
# ignore all packages named "axios" regardless of ecosystem or group
[[PackageOverrides]]
name = "axios"
ignore = true
# ignore all packages named "axios" in the npm ecosystem that are in the dev group
[[PackageOverrides]]
name = "axios"
ecosystem = "npm"
group = "dev"
ignore = true
# ... and so on
```
While some of these might seem a bit extreme, ultimately I think this is
probably the way to go as the logic itself is very straightforward and
it gives a lot more power to the people.
Since `config` is a public package, I've had to deprecated the related
existing public methods and there's a bit of naming & structural yuck
but I figure that's not a big deal since v2 is right around the corner
and again the logic itself is very straightforward.
Resolves#1211Resolves#1155
Hi,
I think it would be nice if the
PackageOverrides
config would support matches on the package dependency groups (dev
,optional
, etc). The simplest solution would be a simple exact match like it is used forname
orecosystem
.Examples:
Ignore a dependency group entirely
This may be useful for projects that don’t care about any issues in a certain dependency group.
Ignore a package only if it is in a certain dependency group
This is useful if vulnerabilities for a package should only be ignored as long as the package is part of a certain dependency group. Example: One might want to ignore a package if it is a
dev
dependency but it should raise errors if it is a production dependency.Thanks for your work on osv-scanner!
Cheers
The text was updated successfully, but these errors were encountered: