Checking dependencies listed in cabal.project source-repository-package

[BebeSparkelSparkel]

It would be helpful to have some insights to forked packages listed in the cabal.project file and if that fork has unresolved vulnerabilities.

[MangoIV]

I guess you mean if you have a cabal.project file, that has source-repository packages declared, there should be information on that?

What kind of information do you imagine? A fork would still have versioning, so if you e.g. have some vulnerable library x that is vulnerable from version n and you have a fork of x with version >= n, then this vulnerability would still show up.

[BebeSparkelSparkel]

Something like that. If using git, you could look to see if the error is in the history without the fix commit.

I may be incorrect with the following, but if the fork also increments the version numbers it could be hard to tell if the fix has been added.

[MangoIV]

Yes, it appears. Perhaps we could add a warning like “this dependency is included in your project a fork, take extra care”

[BebeSparkelSparkel]

That's a good start.

[MangoIV]

I think I will make this part of a larger task that I’m imagining to also suggest updating outdated dependencies, I think that’s a good fit.

[BebeSparkelSparkel]

Many will want a flag to disable that option.