dependabot-core VS Mastodon

Oh yes, https://github.com/dependabot/dependabot-core/issues/3253. I wouldn't go so far as saying it was locked because it was too uncivil, mostly just because "additional commentary wasn't adding value" ;)

Your read on the situation is spot on, and no, it doesn't look like it's been "fixed" (mostly because "fixing it would re-introduce the same potential vulnerability).

Storybook is great and all, but these days nearly every Dependabot alert I get is about a sub-dependency of Storybook. Since Dependabot doesn't currently allow you to ignore dev dependencies and only check production dependencies [0], this makes Storybook a Big Noise Generator and every time I dismiss another alert from it, I can't help but wonder if there's a better option out there.

[0] https://github.com/dependabot/dependabot-core/issues/2521

P.S. While this being a powerful and handy tool itself, it is only a part of Dependabot’s capabilities. If you are interested, you’ll find more about them in the GitHub docs.

Hello! I'm using Helm in K8s and curious if there is a solution that could keep tabs on the deployed chart dependency versions and either alert us when something is out of date or when a new release is available. Does this exist? I was thinking something like Dependabot or Renovate, but neither seems to be able to manage this.

- https://github.com/dependabot/dependabot-core

An important point is that this kind of metadata often needs to be accessible from outside the build system itself. You need that for example in order to integration with renovate-bot or github's dependabot, to check your dependencies against CVEs, to build SBOMs and various other additional tasks that are not part of the build itself, but related to the build's metadata. This is all functionality I don't want to reimplement, I want to use what's already out there. And for that the build system needs to have some minimum amount of compatibility with existing standard metadata files like pom.xml or build.gradle

To avoid any potential data breaches, it is recommended that users upgrade to a patched version of MinIO (RELEASE.2023-03-20T20-16-18Z) and integrate security tooling such as docker-cli-scan or use Github’s built-in monitoring for supply chain vulnerabilities, which already contains a record referencing this vulnerability.

I recognize that it does not handle chart updates, but it's might still ease the burden of applying minor releases easily etc. For the chart versions themselves, unfortunately dependabot does not support this and will not, but something like renovatebot does. Could be worth looking into as a dual approach

Disclosure: Renovate author

Renovate is indeed AGPL, but if you're just running it as a CLI, do you think there's anything to "watch out for"? It does not make any project you run it against AGPL, that's for sure.

Also you should be aware that dependabot-core, which dependabot-gitlab wraps, is not technically Open Source at all: https://github.com/dependabot/dependabot-core/blob/main/LICE...

Waiting for Yarn v2/v3 support in Dependabot has been a saga.

https://github.com/dependabot/dependabot-core/issues/1297

Interestingly there is some discussion for Mastodon with people asking the limit to be smaller, which raises the question as to the purpose of alt text, and how to properly handle larger text lengths in screen reader programs.

https://github.com/mastodon/mastodon/issues/12268

Through the Fast Forward program, we give free services and support to open source projects and the nonprofits that support them. We support many of the world’s top programming languages (like Python, Rust, Ruby, and the wonderful Scratch), foundational technologies (cURL, the Linux kernel, Kubernetes, OpenStreetMap), and projects that make the internet better and more fun for everyone (Inkscape, Mastodon, Electronic Frontier Foundation, Terms of Service; Didn’t Read).

Mastodon DMs have absolutely no privacy: https://github.com/mastodon/mastodon/issues/18079

For a decentralized protocol doing things right is much more important than doing things fast, it is very difficult (and in a lot of cases impossible) to break backwards compatibility.

Postmortem on what happened here: https://news.ycombinator.com/edit?id=39305884

The v1 API of Mastodon limits the size of the tree that it will expand for users who are not logged into the server: https://github.com/mastodon/mastodon/blob/main/app/controllers/api/v1/statuses_controller.rb . I am guessing that this or some similar limit applies to threads being returned to unauthenticated users of the web UI. It just arbitrarily stops expanding the replies at some point, including the main thread from the OP.

If a thread is truncated, users expect it to expand automatically and autoscroll when you hit the bottom. In my desktop browser, that does not occur, and there is no indication that there is more to see. This is the situation of the web interface as of Mastodon version 4.2.5.

The issue is very sensitive to observer conditions. If you are logged into the server, the behavior is different. If you use a Mastodon app instead of the web, the behavior might be different. As the tree expands, the cutoffs become different. If you look at the thread on a different Mastodon server, the tree is different because every server has its own view of the Fediverse.

HN needs a best practice for linking to Mastodon threads in a way that provides a consistent experience to HN readers. The average Mastodon server would be crushed by hundreds of HN readers grabbing the entirety of a huge thread all at once, so this might involve some thread-unroll-and-cache service. I tried https://mastoreader.io/ but it did not solve the problem.

Alternately, we push changes into the Mastodon web UI to warn users when they need to click to see more and assume that people will get used to the navigation.

Suggestions?

Fixed in Mastodon v4.2.5 https://github.com/mastodon/mastodon/releases/tag/v4.2.5

>You can defeat the Affero clause by putting the software behind a proxy, for example

Could someone elaborate on this? This is NOT my understanding of the license, and it seems absurd considering e.g. Mastodon is AGPL but the standard install requires a reverse proxy[1]. If using a proxy defeats Affero, why would the Mastodon team do this? Are they stupid?

[1] https://github.com/mastodon/mastodon/blob/main/dist/nginx.co...

Mastodon is free and open-source. Go ahead and add the flag:

https://github.com/mastodon/mastodon/blob/main/CONTRIBUTING....

Didn't say anything about freedom of speech. And again: I'm not the one to talk to. I don't have any strong feelings on the topic, but if you do, you should take it somewhere that people who can do something about it will see.

I tried to find an existing discussion to help get you started, but couldn't. You can start one here: https://github.com/mastodon/mastodon/issues

It's easy to sit here on Hacker News and say "they should just..."

Coming up with a standard for an international project will be a long, noisy discussion. You'll tread on internecine conflicts you had no idea about. Old wounds from past related discussions will come out. People will soapbox.

This is why I have no interest in discussing it. It probably won't go anywhere in a place where it actually could. It definitely won't here.