-
Notifications
You must be signed in to change notification settings - Fork 123
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manually tracking dependencies #376
Comments
👋 @calvinhughes can you explain what you mean here a little more? how are the dependencies being loaded externally so that the package manage doesn't know about them? This scenario was close to the intention of the manifest source as you've called out, however I can see how the workaround you're using can be annoying. Before proposing any feature work or solutions, I'd love to get a better idea how the dependencies are sourced and used 🙇 |
@jonabc So a common case is typically in older projects without a package manager or they use something like WordPress. There it contains scripts like jQuery, Bootstrap, Intercom etc loaded using
While caching the script is preferred (and definitely a good idea security-wise!) for things like jQuery or Bootstrap which are static; it's a bit more problematic for ones that are dynamic and kept updated by the service for something like Intercom or Google Tag Manager. The main reason for wanting these recorded is mostly to have a single source of truth in one place ( Hope that example helps :) |
@calvinhughes ahhh got it, yeah I see the difficulty you're describing. thanks for the example! I think the only way to make this easier would be to put in a |
@jonabc yep, it's not blocking at the moment so I can work with that fine. I'll see if I can find some time to develop a manual source that I can try out, and submit a PR? |
That would be great! |
Hey 👋
Is there any particular method you've used for tracking manual sources? I understand there's the Manifest source which looks like it can be used for files in the repository; but what I'm looking to solve is those ones being loaded externally which have no such file. For example with
license_finder
it's possible to track hidden dependencies which are then registered in the list.My way of doing it as a workaround is perhaps to generate a bogus manifest entry and adjust the yml so that's used or perhaps caching the files to be used in the manifest. Do you think that might be the best approach? Or might you recommend implementing a new "manual" source that could be controlled via the CLI?
Thanks!
The text was updated successfully, but these errors were encountered: