Management of non-package registry dependencies

[ericcornelissen]

Some of this project's runtime and development dependencies are explicitly tracked (in package-lock.json or GitHub Actions workflows), some system-level development dependencies aren't explicitly tracked but this is considered fine¹ (git, Make, Docker, Node.js & npm, EditorConfig), but some development dependencies aren't explicitly tracked and/or kept up-to-date but ideally are. This issue is about that last category.

Note: Feel free to comment on this issue if you think this list is incomplete or if you have any suggestions for improvements.

Overview

• actionlint: ideally tracked & kept up-to-date.
  • Tracked since #137
  • Updated since #160
• Grype: ideally kept up-to-date.
  • Updated since #160
• hadolint: ideally kept up-to-date.
  • Tracked since #172
  • Updated since #172
• ShellCheck: ideally tracked & kept up-to-date.
  • Tracked since #137
  • Updated since #160
• Syft: ideally kept up-to-date.
  • Updated since #160
• yamllint: ideally tracked & kept up-to-date.
  • Tracked since #163
  • Updated since #163

Footnotes

1. If known, these should have a minimum required version specified to make contributing easier ↩