You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by GitBox <gi...@apache.org> on 2022/04/27 12:26:25 UTC
[GitHub] [commons-io] naveensrinivasan opened a new pull request, #352: chore(deps): Included dependency review
naveensrinivasan opened a new pull request, #352:
URL: https://github.com/apache/commons-io/pull/352
> Dependency Review GitHub Action in your repository to enforce dependency reviews on your pull requests.
> The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests,
> and warns you about the associated security vulnerabilities.
> This gives you better visibility of what's changing in a pull request,
> and helps prevent vulnerabilities being added to your repository.
https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
Signed-off-by: naveensrinivasan <17...@users.noreply.github.com>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-io] garydgregory commented on pull request #352: chore(deps): Included dependency review
Posted by GitBox <gi...@apache.org>.
garydgregory commented on PR #352:
URL: https://github.com/apache/commons-io/pull/352#issuecomment-1111128013
We use Dependabot already to look for dependency changes so I don't see the need for yet another dependency checker.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-io] naveensrinivasan closed pull request #352: chore(deps): Included dependency review
Posted by GitBox <gi...@apache.org>.
naveensrinivasan closed pull request #352: chore(deps): Included dependency review
URL: https://github.com/apache/commons-io/pull/352
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-io] naveensrinivasan commented on pull request #352: chore(deps): Included dependency review
Posted by GitBox <gi...@apache.org>.
naveensrinivasan commented on PR #352:
URL: https://github.com/apache/commons-io/pull/352#issuecomment-1113546525
Closing this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-io] naveensrinivasan commented on pull request #352: chore(deps): Included dependency review
Posted by GitBox <gi...@apache.org>.
naveensrinivasan commented on PR #352:
URL: https://github.com/apache/commons-io/pull/352#issuecomment-1110955220
> I'm not sure if this is necessary. I think 99.9999% of our pull requests won't have a dependency, since Commons components try to have as little dependencies as possible. So, assuming we rarely have dependency being added, I think not having this extra GH Action workflow simplifies maintenance for us, but also means one less place to look for possible security vectors (i.e. if `actions/dependency-review-action` had a CVE, it wouldn't impact us).
>
> So I'm -0 on this one, unless others prefer to scan, maybe, test dependencies being added like JUnit extensions, or maybe Maven plug-ins?
OK, I understand.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org