Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It’s not how do you do that, it’s What (systemically) triggers you to do that?

Are some developer(s) on the team responsible for subscribing to the relevant vuln lists and scanning them each day? Do you buy in some tooling?



The cargo-audit I referred to in my previous post is that tooling, it's commonly run in CI regularly.

But, also, this is pretty far afield from my original question: I understand why keeping copies of your dependencies can introduce various things you should handle, but my original question was "what is vendoring your dependencies if not 'keeping a copy of the source code of your dependencies in the repository'"? That's my understanding of the definition of "vendoring," so I was curious what my original parents' definition was.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: