oh well, I don’t have a Soundcloud but we’re hiring *human* developers at @buildoHQ
- full time, in Milan
- must speak Italian
- must like botshttps://buildo.io/careers
Prikaži ovu nit
So this just happened: - a bot found a vulnerability in a dependency - a bot sent a PR to fix it - the CI verified the PR - a bot merged it - a bot celebrated the merge with a GIF https://github.com/buildo/react-components/pull/1367 …pic.twitter.com/kNEPY5RSHr
-
-
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
In case someone is wondering about the timing, the PR was stuck for a few days due to an issue with our CI. Once we fixed the CI, the bot rebased the PR (of course)
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
does "a bot found a vulnerability in a dependency" involve creating a CVE, or how did this trigger a GitHub security alert?
-
This is the “Automated security fixes” feature by GitHub. Whenever a fix for a known CVE is available, it automatically sends you a PR. Seehttps://github.blog/2019-05-23-introducing-new-ways-to-keep-your-code-secure/ …
- Još 4 druga odgovora
Novi razgovor -
-
-
Dependabot can automerge if CI is green out of the box
-
yes, but GitHub's dependabot integration for security patches can't. Or did I miss something
@natfriedman? - Još 2 druga odgovora
Novi razgovor -
-
-
Could this be used to inject new vulnerabilities?
-
absolutely.
- Još 3 druga odgovora
Novi razgovor -
-
-
Hmm, wondering how this works
Does it checkout the git repo and parse all the package.json files? -
I don't know the technical details, but I assume you can implement this via the GitHub API
- Još 3 druga odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.