►
From YouTube: Scorecards Biweekly Sync (July 28, 2022)
A
A
A
B
A
A
A
A
And
we
are
probably
we
are
going
to
be
using
that
api,
that
endpoint
to
start
serving
the
scorecard
and
I'm
trying
to
see
if
it
is.
This
is
the
recent
change
as
input
and
that
and
we
we
are
going
to
be
utilizing
that
for
our
api.
That
was
one
update
for
me
on
that.
I
also
added
another
item
that
I
want
to
talk
with
the
wrestle
team,
but
the
rest
of
the
maintainers
aren't
there
in
this
call.
So
I'll
probably
push
this
to
our
next
release.
A
B
A
Great,
if
you
don't
like,
can
you
comment
on
this
issue?
It'll,
be
helpful
to
understand
people,
and
also
you
can
mention
why
it'll
be
helpful.
That
way
it
is
easier
to
drive.
Why
does
it
is
easier
to
add
that
use
case
tools
that
makes
us
makes
it
critical
for
us
to
whether
we
want
to
proceed
or
not.
A
A
B
B
Yeah
yeah,
so
basically,
we
will
give
it
a
context,
and
this
this
is
the
ripple
uri
like
the
osf,
slash
scorecard,
and
we
also
need
to
give
it
a
base
and
a
half.
So
we
can
use
both
like
it
could
be
a
commit
shot
or
like
a
friendship
reference
like
men
or
death,
and
also
they
have,
and
also
we
need
to
specify
the
checks
to
run.
A
B
Bit
slow,
but
this
problem
can
be
fixed
with
the
score
guide
api
like
the
red
server,
but
we
can
shift
the
like.
You
know
running
the
scorecard
checks
on
average
tenancy
to
simply
querying
the
rest
api
to
get
the
scorecard
repo
result
for
the
ripples,
and
that
will
you
know
optimize
the
reading
speed
of
the
api
and
it
will.
It
will
be
faster.
A
A
B
A
B
B
The
skullcap
will
perform
all
of
these
security
checks
on
them
and
give
these
results
to
the
user
on
the
dependency
disk
yeah.
This
is
the
purpose
yeah.
So
the
next
thing.
The
next
thing
is
the
cri.
So
basically,
basically
I'm
using
this
cli
in
the
command
line
version
of
the
scroll
card
and
also
in
the
yeah
in
the
scorecard
action.
So
I'm
going
to
show
the
first
demo.
This
is
the
cli.
Let
me
stop
this
sharing
and
switch
to
my
terminal.
B
B
Yeah,
I
I
I'll
show
you
the
end
to
end
demo
and
you'll
understand
how
how
this
shows.
So
this
is
the
scorecard
folder
and
what
we
can
do
is
to
use
this
scorecard
directly.
This
is
this
is
the
original
usage
of
physical
card
cli,
and
so
I'm
creating
a
new
sub
command
for
the
scorecard,
the
dependency
diff
mode.
B
B
And
another
thing
is
this:
so
we
can
specify
a
fade
sorry,
we
can
specify
a
base
and
the
hat.
So
I
I'm
using
the
membranes
and
the
depth
branch
as
the
base
and
the
the
hat
for
now.
So
basically,
the
api
will
handle
this
branch
name
reference
and
to
the
latest
commit
to
the
branch.
So
we
can
either
use
the
branch
name
or
the
commit
shop
for
these
two
flags
and
next
flag
might
be
chats.
B
Yeah,
so
this
is
the
like
how
the
command
looks
like
we
need
to
specify
the
like
the
skullcast
experimental
flag,
one
to
use
this
feature,
since
this
is
a
still
a
experimental
one
and
then
the
scorecard
and
dependency
div
to
switch
to
the
supplement
and
the
ripple
and
then
the
base
and
the
hat
and
then
the
checks.
And
since
the
default
output
format
of
this
dli
is
json.
So
I'm
using
a
json
I'm
using
the
json
parser
to
output.
The
result.
B
And
so
there
will.
Let's
say
there
are
some
dependency
updates
and
some
removed
ones.
So
I'll
change
this
I'll
change,
this
a
manifest
file
to
a
new
one
and
commit
changes,
and
now
the
desk
branch.
The
step
branch
contains
some
like
new
dependencies
or
some
remove
dependencies,
and
I
can
use
the
cli
to
see
the
like
the
changes.
B
B
B
We
specify
the
checks
here
to
maintain
a
license,
so
we'll
have
the
maintained,
check
and
also
the
license
check
here.
We'll
have
the
score
for
this
check
the
reasons
and
documentation
details.
All
of
the
like.
The
security
result
field
will
be
in
the
in
this
json
result,
and
here
are
the
net
dependency
and
the
next.
B
B
Like
the
usage
of
the
coi-
and
I
have
like
several
questions
in
the
agenda
about
the
cli,
so
I
think
maybe
we
can
talk
about
them
together.
The
first.
The
first
question
is
so
I
I'm
not
sure
if
this
is
like
an
actual
requirement
for
the
user.
I
I'm
not
sure
if
the
user
would
actually
use
this
in
the
command
line.
You
know
to
manually
type
these
two
brand
branches
and
the
text
and
actually
run
this
command.
A
I'm
gonna,
I'm
gonna,
I'm
gonna
take
an
option
to
even
talk
about
this.
We
first
of
all
great
thanks
for
doing
this.
Second
thing
is:
if
we
have
an
api,
we
want
to
be
careful
about
like
if
we
are
sure
about
this.
I
really
really
nice
that
you
made
this
experimental.
So
we
can
do
a
release
with
experimental
and
get
some
feedback
on
this,
especially
with
the
with
the
scorecards
api,
the
rest
endpoint,
and
the
moment
that
comes
on
when
this
one
I'm
hoping
we
could.
A
A
B
Yes-
and
another
thing
you
might
have
is
like
the
current
output
format
of
this
vi
is
just
json
and
maybe
like
in
the
future.
We
can
add
something
more
like.
We
know
that,
like.
Let
me
just
share
my
screen,
I
know
the
default
output
format
of
skullcard
is
the
you
know,
there's
a
table
there's
a
table
for
that,
and
maybe
we
can
also
support
that
output
for
us
for
the
dependency
div
and
that
might
be,
you
know,
maybe
easier
for
the
users
to
see
the
results.
A
Sorry,
I
think
the
table
format
is
being
like.
We
won't
remove
the
table
format
because
it
is
always
painful
to
maintain
the
table
format,
so
you
want
to
try
this
one
so
yeah
right.
This
is
always
hard,
so
we
can
for
the
sub
command
say
the
output
is
only
going
to
be
json,
because
putting
all
of
this
into
a
table
format
is
extremely
hard,
so
we
could
potentially
you
could
you
could
you
could
add
that
into
your
pr
into
an
issue
say
we're
going
to
do
only
json
for
this,
and
I
people
haven't
been.
A
Let
me,
let
me
be
honest.
People
haven't
been
really
happy
with
tablespoons,
it's
extremely
hard
because,
as
the
data
get
blown
up,
it's
actually
it
gets
wrapped
up
and
it's
extremely
hard
to
read,
but
we
never
thought
when
we
came
to
table
format
initially.
All
of
this
is
going
to
be
an
issue,
so
we
never
thought
that
the
mediation
documentation
all
those
links
and
we
were
going
to
dump
all
the
people
information
in
the
table
format.
That's
what
really
messed
up
the
formatting
which
made
it
really
hard.
B
Yes,
yes
see,
I,
I
think
I'll
just
you
know,
use
the
json
as
the
default.
That's
the
default
format
in
the
first
version
and
maybe
yeah
just
create
a
pr
and
ask,
should
we
add
more
or
let
me
just
stop
which
isn't
yeah
yeah?
Yes,
yes,
yeah.
So
this
is
the
first
issue
with
this
cli
and
before
we
talk
about
the
second
thing:
let's
just
get
the
action
one
to
run
because
it's
pretty
slow
and
we
don't
want
to
wait
for
that.
B
So
let
me
let
me
just
get
the
action
one
to
run
so
the
scorecard
action
dependency.
Visualization
is
basically
another
version
of
this
feature
like
I'm
using
the
api
in
the
action
to
visualize
the
dependencies
result
in
two
ways.
The
first
is
as
a
pr
comment
and
the
second
one
is
ask
annotations,
so
I'll
show
them
separately
later,
but
first,
let's
just
get
this
run.
B
B
B
A
B
So
I
can,
I
can
see
the
dependency
if
and
this
code
and
the
scorecard
result
on
the
dependencies
like
in
a
pr
comment
here
and
also
in
the
annotation
annotations
of
the
file.
So
this
is
gonna,
take
like
three
minutes,
or
maybe
four
minutes
to
finish
this
check.
So
let
me
just
switch
back
to
the
coi
part.
A
I
have
a
mostly
if
somebody
has
to
and
probably
add
docs
to
what
is
being
like
bass
and
head
in
the
in
the
dependency
diff
having
that
as
a
doc
would
certainly
help
having
that
in
the
like,
when
I
start
that
that
giving
and
giving
a
specific
example
example
always
plays
better
so
giving
an
example
with
two
different
examples,
one
is
actually
branch
name
and
also
also,
commissioner,
as
two
examples
would
certainly
be
really
helpful.
So
what
is
base
okay
so
so
giving
an
example?
Okay,
that's
nice!
Yes,
I
think
I
think
yeah.
B
Yes,
of
course,
yeah
I'll
make
the
dot
part
better
yeah.
This
is
just
because
yeah,
we
still
have
some
discussion.
You
know
about
the
name
of
the
face
flag
and
the
half
flags
in
in
the
prs,
so
yeah
we
haven't
decided,
which
name
to
use
for
these
two
flags,
so
yeah
I'll
definitely
definitely
make
the
dots
more.
You
know
clearer
so
that
the
user
will
understand
how
these
two
flag
works.
B
Actually
here
so
after
the
check
run,
we'll
see
like
a
visualization
thing
like
this
is
a
common
pr
comment:
that's
left
by
the
github
actions,
so
we
can
see
like
the
dependency
changes,
whether
it's
added
one
updated
one
or
a
removed
one.
So
you
can
see,
there's
there's
one
dependency
per
line
like
this.
B
Gold
clock
is
added
and
it
has
a
aggregate
score
of
9.2
and
this
one
this
this
one
should
be
the
sixth
store,
this
one's
also
added,
and
it
has
a
score
of
2.5
and
for
the
version
zero,
we're
not
providing
this.
You
know
the
aggregation
scores
on
the
removed
ones,
since
it
costs
a
lot
of
time
to
run
the
scope
card
and
the
users
might
not
want
to
know.
A
B
B
So
we
can
see
some
annotations
in
the
goal
mod
manifest
file,
so
the
annotation
is
generated
on
a
per
check
basis,
so
we
might
see
like
different
annotations
with
the
same
dependency
package,
but
with
the
different
check
items
like
this.
One
is
for
maintain
and
this
one
is
for
license,
but
both
of
the
annotations
are
for
this
go
club
dot
down.
A
B
A
B
A
So
so,
if
you're
going
to
add
annotation,
are
you
going
to
add
annotation
to
coda
mod
and
go.some,
because
then
it's
going
to
become,
which
one
should
I
look
for
if,
if
going
with,
the
annotation
is
the
right
approach,
probably
think
of
using
godad
song
yeah,
because
I
think
golotham
has
everything
that
the
gomad
code,
I'm
not
requires
again,
I'm
not
an
expert
to
on
how
the
gold
and
mata
go
that
some
works.
But
I
have
a
little
bit
of
knowledge
to
say.
B
Current
data
source
api,
the
github
definition
review-
will
use
both
the
manifest
file
and
the
log
file
and
the
reason
I'm
using
I'm
only
using
a
you
know.
Gob
file
is
this
is
a
simpler
for
a
demo
but
yeah.
Definitely
we
can.
We
can
also
see
the
changes
in
the
gold
dot
song.
You
know
the
log
file
and
it
it
does
works
like
the
github
api
does
work
for
a
gold
manifest
file
and
a
gold
log
file.
B
But
I
remember
there
was
one
time
when
I
was
testing
it
on
the
pythons
manifest
file
and
the
python
log
file,
and
it
seems
the
api
just
confused
the
dependencies
in
these
two
files,
like
like
yeah
for
a
python
ecosystem,
like
it
will
put
all
of
the
indirect
dependencies
in
the
like
the
pet
log
pip.log
or
I
I
don't
remember.
The
name
is
the
log
file
of
the
python
package
package
manager
and
the
github
dependency
review.
Api
simply
just
gives
all
of
the
indirect
dependencies
in
the
text.log
file.
B
So
this
is
definitely
something
pretty
confusing,
and
I've
already
showed
a
ticket
to
the
the
team
of
this
api.
To
ask
like
the
details
of
this
api
and
like
is
this
a
bug
or
something
like
will
be
provided
in
the
future
versions,
and
we
do
have
an
issue
on
this
that
says,
maybe
like
in
the
future,
we'll
choose
a
better
data
source
api
to
perform
this
analysis
in
this
visualization,
but
currently
yeah.
B
We
do
have
several
issues
for
for
this
data
source,
api
and
and
of
course,
this
api
will
analysis,
the
go
goemon
and
those
go.
Go
that
sound
together
it
just
it
didn't
tell
whether
this
this
is
a
direct
dependency
or
an
indirect
dependency,
but
all
of
these
dependencies,
which
will
show
here
in
the
annotations
and
in
the
common.
B
B
B
So
I
remember
naveen
you
talked
about
like
maybe
we
should
make
this
configurable
so
so
I
was
just
thinking.
Should
we
do
that
because
we
have
another
example,
the
code
cuff,
so
basically,
basically
code
cup
will
run
on
every
commit
to
compute
the
you
know
the
coverage
difference
you
know
of
the
of
the
of
the
branch,
the
pr
and
the
and
the
membrane
or
something
so
I
was
thinking.
Should
we
make
this
to
just
leave
this
as
same
as
the
one
or
should
we
make
this?
A
It
all
depends
on
it.
I'm
gonna
come
back
to
the
rest.
End
point
the
moment.
The
resting
point
comes,
you
would
be
we'd,
be
able
to
do
it
for
every
commit,
because
it's
just
rest
calls
it's
it's
to
do
that
it's
and
we
can
also
run
them
concurrently.
We
don't
have
to
be
sequential.
We
should
be
able
to
run
them
concurrently.
A
We
should
be
able
to
get
those
get
the
results
pretty
quickly
up
until
then,
my
situation
would
be
is
running
it
on
every
commit
is
going
to
cost
it's
going
to
it's
going
to
it's
going
to
slow
down
significantly
and
we'd,
be
throttling
you,
I
will
be
hitting
our
api
rate
limits,
and
that
would
be
the
problem
and,
like
you
mentioned
it'll,
be
nice
to
default,
should
be
every
comment.
I'm
not
saying
now,
when
the
recent
point
comes
in
again,
my
two
cents
on
this.
The
second
and
people
should
be
able
to
configure
those.
A
Whether
do
I
really
care
between
comments
or
between
my
last
limit
and
my
head
minus
one.
That's
where
I'll
do
I
care,
but
that
could
be.
That
could
be
an
option
that
we
can.
That
could
be
right
now.
That
could
be
the
default
right
now,
but
later,
as
the
resting
point
comes
in
utilizing,
those
things
utilizing
between
every
comment
would
be
should
become
a
default.
B
Yes,
oh,
I
think,
there's
a
another
thing
I
forgot
to
mention
so
like
in
the
current
implementation
of
the
the
pre-check
submit
proprietary
check,
I'm
using
the
round
tripper
implemented
in
the
scope
ripple.
So
I
know
the
round.
Flipper
has
a
built-in
api
limiter
right
yep.
So
yes,
so
I
haven't
passed.
This
haven't
tested
this
in
the
action,
but
I
think
you
know
if
it
runs
multiple
times
on
a
lot
of
dependencies.
It
might
just
simply
hit
the
api
limit.
A
Yeah,
it's
going
to
hit
the
api
limit
and
it's
going
to
block
yeah
yeah
yeah.
It
gives
it
blocks
based
on
it
figures
out.
What's
the
next
limit
and
blocks
until
then,
because
the
api
api
basically
comes
back
in
this,
how
long
should
we
wait
before
we
go
about
doing
it?
So
the
round
triple
already
aware
of
that.
B
B
Oh
for
the
for
this,
for
for
this
one,
so
I'm
a
little
concerned
of
the
comment
being
too
long,
or
maybe
we
generate
a
new
comments
every
time.
So
the
like
our
comments
would
just
spam
spam
the
whole
pr,
absolutely
yeah
yeah.
I
just
I
just
found
a
way
to
update
a
previous
comment.
So
we
don't
need
to.
You
know,
create
a
new
one
every
time.
B
A
B
Before
before
they
before
they
get
merged
yeah,
I
think
that's
it
for
my
demo
and
my
questions
and
I'm
always
welcome
to
any
feedbacks
or
advices
on
that.
You
can
leave
a
comment
in
the
cross
button,
pr
in
the
scorecard
ripple
or
scorecard
actual
people
yeah
all
right,
yeah,
I'm
gonna
take
up
my
sharing
yeah.
Thank
you.