advisory-database icon indicating copy to clipboard operation
advisory-database copied to clipboard
verified publisher icon github

julia ecosystem support

Open anandijain opened this issue 2 years ago • 5 comments

lately i spent some time writing a julia package to analyze the dependency graph of the Julia General registry https://github.com/JuliaRegistries/General/ with https://github.com/anandijain/MyPkgGraph.jl

i'm wondering what it would take to have julia as a part of the advisory ecosystem

thanks!

anandijain avatar Feb 10 '23 05:02 anandijain

Thanks for writing in @anandijain!

Are you looking for julia to be supported purely as an ecosystem option you can select when writing repository advisories, or do you want it to be curated and have Dependabot alerts sent on julia packages as well?

KateCatlin avatar Feb 15 '23 20:02 KateCatlin

We published quite a few security advisories (and associated CVEs) for Julia packages via Github recently, and it was a bit disappointing to not have "Julia" as a supported ecosystem type. It would be nice to have that available as a fully supported option.

We would like to have dependabot alerts as well eventually, but I guess first order of business is to have a ecosystem option.

aviks avatar Jun 24 '25 23:06 aviks

👋 Thank you so much for reaching out and for sharing your work on analyzing the Julia ecosystem’s dependency graph. We appreciate your passion for improving security in the Julia community.

Expanding support for new ecosystems like Julia is definitely on our radar, and we recognize the value this would bring. That said, given our current priorities and resource constraints, we’re unable to provide a timeline or commit to adding Julia support in the immediate future. We’ll continue to keep an eye on interest and developments in the Julia community as we consider future enhancements to the advisory ecosystem.

Thank you again for your thoughtful suggestion and for engaging with us! Please feel free to share any further ideas or feedback.

taladrane avatar Jun 27 '25 16:06 taladrane

Hi @taladrane thank you for your response. We really appreciate the work you do on GHSAs, and the improvements it has brought about across the OSS ecosystems.

So having published a few GHSAs in julia packages in the last week ( example: GHSA with the corresponding CVE and NVD json,) we had a few surprises.

It seems that those advisories do not make it into this repository, even in the 'unreviewed' section. Equally, they don't seem to be returned in the advisories github api calls. Is that to be expected?

Moreover, in the CVE that is published on the back of the GHSA, no package information seems to be available.

As an example, here is one recent GHSA with the corresponding CVE and NVD json

These issues make our GHSAs significantly less useful to our community. Should the recommendation then be to use some other infrastructure for publishing advisories until Github supports this ecosystem officially? That'd be a shame I think, since we really like the GHSA workflow.

aviks avatar Jul 01 '25 09:07 aviks

There's been a big push on the julia side here, summarized in this blog post https://julialang.org/blog/2025/11/launching-security-wg/

And note that Dependabot now has julia support. Personally I am motivated to tie that through to the CVE reporting, so please share any gaps on our (julia) side that you're aware of.

cc. @mbauman

IanButterworth avatar Dec 05 '25 21:12 IanButterworth