We should look at automated (with review) dependency management to mitigate the impact of pinning dependency versions
Tools such as dependabot can assist here, there may be others
> The work to maintain these distinct pinned versions (which is notable .. for example there's a risk of actually worsening security if an urgent patch isn't fixed up) is to use automated dependency management tools, such as dependabot.
That in turn is something I entirely agree with: Using dependabot would be better -- but it would mean work to deploy and maintain, etc. If you're willing to take this on (or know someone who would), please by all means, do -- I just cannot.
Originally posted by @baentsch in open-quantum-safe/liboqs#1780 (comment)
I can start looking at this if there's agreement it's appropriate.
We should look at automated (with review) dependency management to mitigate the impact of pinning dependency versions
Tools such as dependabot can assist here, there may be others
That in turn is something I entirely agree with: Using dependabot would be better -- but it would mean work to deploy and maintain, etc. If you're willing to take this on (or know someone who would), please by all means, do -- I just cannot.
Originally posted by @baentsch in open-quantum-safe/liboqs#1780 (comment)
I can start looking at this if there's agreement it's appropriate.