docker-install VS dependabot-core

Run the following command Above command downloads the script get-docker.sh to your local system/virtual machine from https://get.docker.com/

pct create 1000 local:vztmpl/ubuntu-24.10-standard_24.10-1_amd64.tar.zst \ --hostname net-lxc \ --net0 name=eth0,bridge=vmbr0,ip=10.1.1.2/24,gw=10.1.1.1 \ --nameserver 1.1.1.1 \ --features keyctl=1,nesting=1 \ --storage local-lvm \ --rootfs local:8 \ --ssh-public-keys .ssh/id_rsa.pub \ --unprivileged=true pct start 1000 ssh [email protected] apt update && apt install curl -y curl -s https://get.docker.com | sudo bash curl -L https://github.com/siderolabs/talos/releases/download/v1.9.5/initramfs-amd64.xz -o initramfs-amd64.xz curl -L https://github.com/siderolabs/talos/releases/download/v1.9.5/vmlinuz-amd64 -o vmlinuz-amd64

$ curl -sSL https://get.docker.com/ | sh

# Using Ubuntu 24.04 as the launchpad FROM ubuntu:24.04 # Installing essential supplies RUN apt-get update \ && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ gnupg \ iptables \ supervisor # Summoning Docker with the elegance of a magic spell RUN curl -fsSL https://get.docker.com | sh # Infusing NVIDIA Container Toolkit for GPU wizardry RUN curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg \ && curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \ sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \ tee /etc/apt/sources.list.d/nvidia-container-toolkit.list \ && apt-get update \ && apt-get install -y nvidia-container-toolkit \ && nvidia-ctk runtime configure --runtime=docker \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* # Unveiling the entrypoint script and overseeing Supervisor's watchful eye COPY entrypoint.sh /usr/local/bin/ COPY supervisor/ /etc/supervisor/conf.d/ # Empowering the entrypoint script with executable powers RUN chmod +x /usr/local/bin/entrypoint.sh # Creating a sanctuary for Docker's data vault VOLUME /var/lib/docker # Guiding the container to its starting point ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] # When all else fails, let's have a bash! CMD ["bash"]

$ curl -fsSL https://get.docker.com -o get-docker.sh $ sudo sh get-docker.sh $ sudo usermod -aG docker $USER #add user to the docker group $ docker version Client: Docker Engine - Community Version: 27.4.0 API version: 1.47 Go version: go1.22.10 Git commit: bde2b89 Built: Sat Dec 7 10:38:40 2024 OS/Arch: linux/amd64 Context: default ...

curl -fsSL https://get.docker.com -o get-docker.sh sudo sh get-docker.sh

curl -sSL "https://get.docker.com/" | bash

If you just click on the file like this link (https://github.com/docker/docker-install/blob/master/install.sh), right click to inspect and you will see it is in html.

More Details: Review the updates at Dependabot-core GitHub releases.

Dependabot- Integrated with GitHub

Oh yes, https://github.com/dependabot/dependabot-core/issues/3253. I wouldn't go so far as saying it was locked because it was too uncivil, mostly just because "additional commentary wasn't adding value" ;)

Your read on the situation is spot on, and no, it doesn't look like it's been "fixed" (mostly because "fixing it would re-introduce the same potential vulnerability).

Storybook is great and all, but these days nearly every Dependabot alert I get is about a sub-dependency of Storybook. Since Dependabot doesn't currently allow you to ignore dev dependencies and only check production dependencies [0], this makes Storybook a Big Noise Generator and every time I dismiss another alert from it, I can't help but wonder if there's a better option out there.

[0] https://github.com/dependabot/dependabot-core/issues/2521

P.S. While this being a powerful and handy tool itself, it is only a part of Dependabot’s capabilities. If you are interested, you’ll find more about them in the GitHub docs.

Hello! I'm using Helm in K8s and curious if there is a solution that could keep tabs on the deployed chart dependency versions and either alert us when something is out of date or when a new release is available. Does this exist? I was thinking something like Dependabot or Renovate, but neither seems to be able to manage this.

- https://github.com/dependabot/dependabot-core

An important point is that this kind of metadata often needs to be accessible from outside the build system itself. You need that for example in order to integration with renovate-bot or github's dependabot, to check your dependencies against CVEs, to build SBOMs and various other additional tasks that are not part of the build itself, but related to the build's metadata. This is all functionality I don't want to reimplement, I want to use what's already out there. And for that the build system needs to have some minimum amount of compatibility with existing standard metadata files like pom.xml or build.gradle

To avoid any potential data breaches, it is recommended that users upgrade to a patched version of MinIO (RELEASE.2023-03-20T20-16-18Z) and integrate security tooling such as docker-cli-scan or use Github’s built-in monitoring for supply chain vulnerabilities, which already contains a record referencing this vulnerability.

I recognize that it does not handle chart updates, but it's might still ease the burden of applying minor releases easily etc. For the chart versions themselves, unfortunately dependabot does not support this and will not, but something like renovatebot does. Could be worth looking into as a dual approach