-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature spec for suppressing specific vulnerabilities #12921
Conversation
|
||
## Prior Art | ||
|
||
<!-- What prior art, both good and bad are related to this proposal? --> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When thinking about prior art we can draw inspiration from, consider GitHub dependabot suppressions, CG suppressions, NPM. It will be interesting to see the granularity that each solution provides (per package, per project, per advisory, etc.). Assuming that NuGet users already have experience using those other vuln suppression mechanism, they likely expect a similar customer experience from NuGet.
d6d61dd
to
98568e0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
only two minor things, otherwise lgtm!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since I created this PR, GitHub won't let me approve it, but it LGTM now.
It's easy to forget about suppressions done in a config file that's not in your face. Are we thinking about some messaging (info) to state that? Like as part of restore, something like: "Note: Some warnings due to packages having vulnerabilities have been suppressed. See , for a list of those suppressions." |
view rendered spec
Note: I don't expect this to get implemented particularly soon, and I'm not going to have a lot of capacity to make frequent updates to this spec, in case it gets a lot of feedback. But I'm putting it out there now, so it has time to get sufficient feedback before it gets accepted.