On Mon, Jul 31, 2023 at 11:05 David Christiansen via ghc-devs wrote: > Dear GHC devs, > > I think that having automated security advisory warnings from build tools > is important for Haskell adoption in certain industries. This can be done > based on build plans, but a package is really the wrong granularity - a > large, widely-used package might export a little-used definition that is > the subject of an advisory, and it would be good to warn only the users of > said definition (cf base and readFloat). > > Tristan is exploring using HIE files to do this check, but I don't know if > you read Discourse, where he posted the question: > https://discourse.haskell.org/t/rfc-using-hie-files-to-list-external-declarations-for-cabal-audit/7147 >
Thank you David for bringing this up here. One thing to note is that we would need hie files for ghc libraries, as proposed in: https://gitlab.haskell.org/ghc/ghc/-/merge_requests/1337 Cheers, -Tristan
signature.asc
Description: PGP signature
_______________________________________________ ghc-devs mailing list ghc-devs@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs