I was trying to locate and fork GitHub’s Dependabot in response to this user’s request on the Gitea forum when I ran into this licence.
Good find I was not aware and, like yourself, tempted to install it.
This seems like a perfect candidate for a federated service.
My schedule is completely packed for this year, but this seems like an interesting problem so leaving resources for anyone that’s interested:
GitHub’s implementation has decent, high-level architecture overview to how it works.
- Every supported forge requires a method to fetch (package management)files from the forge
- Every supported package manager requires a parser implementation to understand how dependencies are described
- Every supported package repository(pypy.org, crates.io, etc.) requires implementation to get the latest version
- Additionally, vulnerable dependencies must be checked and warned(emails to the maintainer or other private and secure channels).
Many code analysis services use this endpoint for cheap and on-demand source files fetching, so there is incentive in defining source files fetching within the ForgeFed spec.
: The GitLab implementation relies on GitHub Advisory database, which per GitLab Dependabot documentation, requires a GitHub access token. But I believe the GitHub Advisory database can be replaced with the NIST Vulnerability Database(NVD) feeds. If anyone is aware of other trusted, independent sources, kindly let me know.