🕵️♂️ go_over
A tool to audit Erlang & Elixir dependencies, to make sure your ✨ gleam projects really sparkle!
🚨 NOTE: security advisories are NOT currently monitored for gleam dependencies. The language, while excellent, is far too new and niche
🔽 Install
gleam add --dev go_over
📣 Also!
- add
.go-over/
to your.gitignore
- make sure
git
&curl
are installed
🌸 Javascript
If running with Javascript install
{
"devDependencies": {
"yaml": "^2.4.3"
}
}
Bun, Deno & Nodejs are all supported!
▶️ Usage
gleam run -m go_over
🎥 Obligatory Asciinema
🏴 Flags
Override config values if set
--force
: will force pulling new data even if the cached data is still valid--format=<format>
: specify the output format of any warnings.["minimal", "detailed", "json"]
--outdated
: will additionally check if newer versions of dependencies exist--ignore-indirect
: will ignore all warnings for indirect dependencies
⚙️ Config
Optional settings that can be added to your project’s gleam.toml
[go-over]
# disables caching if false
# default: true
cache = true
# sets output format for warnings ["minimal", "detailed", "json"]
# default: "minimal"
format = "minimal"
# will additionally check if newer versions of dependencies exist
# default: false
outdated = false
# will ignore all warnings for indirect dependencies
# default: false
# DEPRECATED use go-over.ignore.indirect instead
ignore_indirect = false
[go-over.ignore]
# will ignore all warnings for indirect dependencies
# default: false
indirect = false
# will ignore all warnings for dev-dependencies. Note: to ignore indirect dependencies regardless of source see go-over.ignore.indirect
# default: false
dev_dependencies = false
# list of package names to skip when auditing dependencies
# default: []
packages = ["example_package"]
# list of warning severities to skip when auditing dependencies
# default: []
# (case insensitive)
severity = ["example_moderate"]
# list of advisory IDs to skip when auditing dependencies
# default: []
ids = ["GHSA-xxxx-yyyy-zzzz"]
⌛ Caching
- Security advisory data is cached for six hours
- hex.pm retired package data is cached for one hour
🪝 pre-commit hooks
You can add go_over to you’re pre-commit hooks by installing 🌵cactus & then adding this to your gleam.toml
[cactus.pre-commit]
actions = [
{ command = "go_over", kind = "module", args=["--outdated"] ,
]
⚙️ CI
You can also schedule daily runs to keep your deps up to date and open issues when necessary! Example ▶️
🖌️ Other Art
- As I’m sure is no surprise this tool is inspired by (and all around worse than) mirego/mix_audit. Please check it out!
- It also draws inspiration from mix hex.audit
⚖️ License
-
This tool uses mirego/elixir-security-advisories which is it self licensed with
BSD-3-Clause license
CC-BY 4.0 open source license
.- See their #license section
-
Code original to this repo is Licensed under
MIT