Just to capture a suggestion that Andrew Purtell made during the cve-2024-3094 triage:
> What would make sense, if we are tossing ideas around as asides, is providing > PMCs and devs resources that help identify problematic dependencies. A Snyk > subscription. Or a Sonatype offering. The GitHub integration already provides > notification of problematic dependencies via GitHub's Dependabot. Which I think are good suggestions and worth following up on. > And then perhaps consider as a factor in Whimsey's community health metric > how many unaddressed security issues exist in a project's code bases. Which I like as it is more positive than the current security@ feedback options that are all late (with warnings quite private unless you track the (public) board minutes) and of the draconian type. This would be a more positive & early feedback cycle. Thanks, Dw
