Management of non-package registry dependencies
Closed this issue · 0 comments
ericcornelissen commented
Some of this project's runtime and development dependencies are explicitly tracked (in package-lock.json
or GitHub Actions workflows), some system-level development dependencies aren't explicitly tracked but this is considered fine1 (git, Make, Docker, Node.js & npm, EditorConfig), but some development dependencies aren't explicitly tracked and/or kept up-to-date but ideally are. This issue is about that last category.
Note: Feel free to comment on this issue if you think this list is incomplete or if you have any suggestions for improvements.
Overview
- actionlint:
ideally tracked & kept up-to-date. - Grype:
ideally kept up-to-date.- Updated since #160
- hadolint:
ideally kept up-to-date. - ShellCheck:
ideally tracked & kept up-to-date. - Syft:
ideally kept up-to-date.- Updated since #160
- yamllint:
ideally tracked & kept up-to-date.
Footnotes
-
If known, these should have a minimum required version specified to make contributing easier ↩