mirrors/zed
1
0
Fork 0
mirror of https://github.com/zed-industries/zed.git synced 2024-12-29 04:20:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
zed/.github
History
Cole Miller e1c509e0de
Check for vulnerable dependencies in CI (#21424) 
This PR adds GitHub's dependency review action to CI, to flag PRs that
introduce new Cargo.lock entries for vulnerable crates according to the
GHSA database.

An alternative would be to run `cargo audit`, which checks against the
RustSec database. The state of synchronization between these two
databases seems a bit messy, but as far as I can tell GHSA has most
recent RustSec advisories on file, while RustSec is missing a larger
number of recent GHSA advisories.

The dependency review action should be smart enough not to flag PRs
because an untouched entry in Cargo.lock has a new advisory.

I've turned off the "license check" functionality since we have a
separate CI step for that.

Release Notes:

- N/A
2024-12-02 18:48:03 -05:00
..
actions Update actions/setup-node digest to 39370e3 (#19979) 2024-10-31 11:28:37 -04:00
ISSUE_TEMPLATE Add additional instructions to issue templates (#20473) 2024-11-10 08:34:23 -05:00
workflows Check for vulnerable dependencies in CI (#21424) 2024-12-02 18:48:03 -05:00
cherry-pick-bot.yml Maybe make cherry-pick-bot better 2024-02-28 15:26:30 -07:00
pull_request_template.md Simplify PR template (#19337) 2024-10-16 20:22:08 -06:00