Audit the diff in PRs? #534
Replies: 3 comments 4 replies
-
|
As far as I know does Filing an issue is probably the way to go. Maybe we are not the only one with failing PRs everywhere. |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
|
As a quick and easy fix, we could add a .cargo/audit.toml with: [advisories]
ignore = [
"RUSTSEC-2020-0071", # `time` localtime_r segfault
"RUSTSEC-2020-0159", # `chrono` localtime_r segfault
] |
Beta Was this translation helpful? Give feedback.
-
|
I hadn't thought about that! That could work 👍 |
Beta Was this translation helpful? Give feedback.
-
|
Hey, just want to note that I've stumbled on https://github.com/actions/dependency-review-action. |
Beta Was this translation helpful? Give feedback.
-
|
Cool stuff, is this equivalent to a |
Beta Was this translation helpful? Give feedback.
-
|
I think this uses GitHub's security advisory API, so it would be close to |
Beta Was this translation helpful? Give feedback.
-
Currently, PRs are getting marked as failing because the audit fails. This is happening a lot with the dependabot PRs. However, most of the time it is not the PRs that introduce the audit failure, so I believe it is inaccurate to mark many of these PRs as failing.
I think that, ideally, only the diff should be audited in PRs. That is, if the PR changes or adds a dependency, it should be that dependency only that is audited, not all dependencies.
Currently, I doubt this is reasonable to do in this repo without upstream changes to
actions-rs/audit-check. It might be possible by generating temp files using the git diff, though.If this makes sense, I can open an issue with
audit-check.Beta Was this translation helpful? Give feedback.
All reactions