Comments (4)
Hi @gsilvapt!
Your issue is a pertinent one and it's also our opinion that any dependency vulnerability should be detected and fixed as soon as possible. We also agree that without unit tests, any automatically fix could lead to breaks which we want to avoid.
We are currently looking into issue #7. There are a number of specificities of this type of application that make it a non-trivial task. As soon as there are some developments there we will get back to this one.
Meanwhile, we are fixing the 259 vulnerabilities #17.
from stayaway-app.
@bertolo1988 one of the reasons I suggested dependabot was because it is safer than doing auto-fix blindly.
You obviously always review the PRs created by dependabot before merging. It just really makes the process easier.
from stayaway-app.
If you don't think auto-fix is feasible/safe, maybe dependabot would be a good strategy.
I've used it for personal projects and had a good experience.
from stayaway-app.
I would not recommend you to update any dependency without a deep inspection. Due to the nature of this project the risk of being targeted is very high and it is quite easy to inject malicious code through not so well maintained projects.
(opened a ticket about this a few days ago: #84, got closed after 1 dependency fix, there are thousands in the tree that are auto updating)
In a private project I would trust the dependabot without issues.
Opening a FE project to the public just for the sake of showing is ridiculous: this project gives all the information a malicious user could ever want plus you can't even prove this source is the one being deployed and distributed.
from stayaway-app.
Related Issues (20)
- Last updated date doesn't update on Version 1.0.1 on iOS 13.7 HOT 3
- App not updating HOT 5
- Open statistics for transparency
- Support older iOS versions HOT 5
- Version 1.0.4 automatically disables exposure monitoring on iOS HOT 5
- Sugestão para metodo de introdução de positivos HOT 6
- Lack of Third party notices
- App does not contain a "select language" feature HOT 4
- Population density awareness nearby HOT 1
- Usual places awarness HOT 5
- Why a new custom implementation vs reusing existing, proven-to-work code? HOT 8
- Widget for iOS 14
- Security. Vulnerabilities in your dependencies tree and build process HOT 2
- Problem trying to run on Lineage OS HOT 10
- Submit diagnostic codes using QR or bar codes
- Dark mode support
- UI/UX: False sense of security HOT 1
- Compatibilidade com iOS 12.5 HOT 1
- No Exposure IDs recorded HOT 1
- [suggestion] F-Droid release
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from stayaway-app.