@Benjamin Bouvier or other embark folks: it just occured to me it might be useful for cargo deny to support something like "ignore until the following date", see for example https://github.com/bytecodealliance/wasmtime/issues/2882
basically, a snooze button for non-urgent advisories
Ah that's an interesting use case! So cargo-deny is run in automation, and that means that it will trigger on the first PR for which CI is running after this date. It might look like an unexpected CI issue, with an easy fix. Does that sound ok?
That's the experience today too, I think, since new advisories can appear at any time, right? I.e. any given CI run might show a new failure (but that's the point); I guess a "snooze" would just cause that to appear in a later CI run instead
Ah, you're right. Maybe there's a scheme where the sec-advisories could be run as part of a separate github action, run periodically (cron-like; i think github supports this), while the deny restrictions would be limited to PRs (which are the only place where a new dependency can be added)
... unless the sec-advisories comes with dependency checks, in which case my suggestion wouldn't work
I'll open an issue in any case, thanks @Pat Hickey for the suggestion! (Can't guarantee it'll be implemented, but it's nice to keep track of it)
+1 to the cronjob-mode idea but I guess that's a separate feature-request :-)
thats a good point, if a security advisory comes in and we arent making PRs frequently enough, we may not discover it with automation for a while, so probably we should run it in a cron job anyway
just as an additional check on top of PRs
Last updated: Dec 23 2024 at 13:07 UTC