You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by GitBox <gi...@apache.org> on 2022/04/27 12:43:33 UTC

[GitHub] [commons-io] naveensrinivasan commented on pull request #352: chore(deps): Included dependency review

naveensrinivasan commented on PR #352:
URL: https://github.com/apache/commons-io/pull/352#issuecomment-1110955220

   > I'm not sure if this is necessary. I think 99.9999% of our pull requests won't have a dependency, since Commons components try to have as little dependencies as possible. So, assuming we rarely have dependency being added, I think not having this extra GH Action workflow simplifies maintenance for us, but also means one less place to look for possible security vectors (i.e. if `actions/dependency-review-action` had a CVE, it wouldn't impact us).
   > 
   > So I'm -0 on this one, unless others prefer to scan, maybe, test dependencies being added like JUnit extensions, or maybe Maven plug-ins?
   
   OK, I understand. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org