Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Drop dependency check plugin #832

Open
MALPI opened this issue Jan 6, 2023 · 3 comments
Open

Drop dependency check plugin #832

MALPI opened this issue Jan 6, 2023 · 3 comments
Labels
Feature

Comments

@MALPI
Copy link
Member

MALPI commented Jan 6, 2023

With dependabot being in place to bump dependencies I would suggest to drop the dependency check plugin as it's pointless to maintain the list of CVE supressions. All we can do anyways is upgrading the dependencies.

@danielrohe what do you think?
@MALPI MALPI added the Feature label Jan 6, 2023
@MALPI MALPI mentioned this issue Jan 6, 2023
Merged
@danielrohe
Copy link
Member

yes we can remove the dependency check plugin.

@whiskeysierra
Copy link
Collaborator

When it comes to vulnerabilities in dependencies, you have more than just 1 option though:

  1. Update
  2. Replace/rewrite (with a different or hand-written alternative)
  3. Suppress

CVE suppressions serve as a documentation.
They give users an idea about the status and quality of the project.
If you combine them with until, you can even give your future self a hint about re-evaluating a suppression.

@MALPI
Copy link
Member Author

MALPI commented Jan 27, 2023

So what is your suggestion @whiskeysierra, from my point of view I don't see a huge benefit yet in maintaining a list of suppression to be honest?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@whiskeysierra @MALPI @danielrohe