You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
First off, really happy to see the birth of the capslock tool as having a way to track capabilities used by transitive dependencies is key to mitigating supply-chain attacks.
One feature that would be really incredible to incorporate in capslock and associated tools is to easily diff the capabilities added/removed in between two versions of a given Go module/package.
And furthermore, make it possible to hook this functionality up to go get -u.
Imagine being able to run go get -u ./... to update packages of a Go module and having warnings be emitted for newly added capabilities of transitive dependencies.
E.g.
$ go get -u github.com/org/repo/pkg
WARNING: new capability added to `github.com/org/repo/pkg` (os/exec). Added in version 2023-09-26-githash.
Of course, neither go get nor capslock need to perform the capability diff itself, it could be a third glue tool that reads the versions (of updated dependencies) from go get -u and the json output of capabilities of capslock and prints warnings for newly added capabilities.
Once more, thanks for working to improve this space and help regain confidence in the capabilities utilized by dependencies in the open source community.
With cheerful regards,
Robin
The text was updated successfully, but these errors were encountered:
First off, really happy to see the birth of the
capslock
tool as having a way to track capabilities used by transitive dependencies is key to mitigating supply-chain attacks.One feature that would be really incredible to incorporate in
capslock
and associated tools is to easily diff the capabilities added/removed in between two versions of a given Go module/package.And furthermore, make it possible to hook this functionality up to
go get -u
.Imagine being able to run
go get -u ./...
to update packages of a Go module and having warnings be emitted for newly added capabilities of transitive dependencies.E.g.
Of course, neither
go get
norcapslock
need to perform the capability diff itself, it could be a third glue tool that reads the versions (of updated dependencies) fromgo get -u
and the json output of capabilities ofcapslock
and prints warnings for newly added capabilities.Once more, thanks for working to improve this space and help regain confidence in the capabilities utilized by dependencies in the open source community.
With cheerful regards,
Robin
The text was updated successfully, but these errors were encountered: