On Mon, Jul 31, 2023 at 11:05 David Christiansen via ghc-devs wrote:
Dear GHC devs,
I think that having automated security advisory warnings from build tools is important for Haskell adoption in certain industries. This can be done based on build plans, but a package is really the wrong granularity - a large, widely-used package might export a little-used definition that is the subject of an advisory, and it would be good to warn only the users of said definition (cf base and readFloat).
Tristan is exploring using HIE files to do this check, but I don't know if you read Discourse, where he posted the question: https://discourse.haskell.org/t/rfc-using-hie-files-to-list-external-declara...
Thank you David for bringing this up here. One thing to note is that we would need hie files for ghc libraries, as proposed in: https://gitlab.haskell.org/ghc/ghc/-/merge_requests/1337 Cheers, -Tristan