Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> If upstream (which you’ve vendored) releases a security fix, how does your system capture and act on that event?

You still retain the Cargo.toml and Cargo.lock, so the exact same way as if you didn't vendor: `cargo-audit` would inform you, you'd update the version, and re-vendor.



It’s not how do you do that, it’s What (systemically) triggers you to do that?

Are some developer(s) on the team responsible for subscribing to the relevant vuln lists and scanning them each day? Do you buy in some tooling?


The cargo-audit I referred to in my previous post is that tooling, it's commonly run in CI regularly.

But, also, this is pretty far afield from my original question: I understand why keeping copies of your dependencies can introduce various things you should handle, but my original question was "what is vendoring your dependencies if not 'keeping a copy of the source code of your dependencies in the repository'"? That's my understanding of the definition of "vendoring," so I was curious what my original parents' definition was.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: