Re: OWASP dependencies check on active branches

[Michael Marshall <mm...@apache.org>]

+1 - This is a great addition, thanks Nicolò.

I updated our Release Process wiki page so that Release Managers will
know to add new release branches to this GitHub workflow [0].

- Michael

[0] https://github.com/apache/pulsar/wiki/Release-process#1-create-the-release-branch

On Wed, Dec 22, 2021 at 10:08 AM Lari Hotari <La...@hotari.net> wrote:
>
> Good work Nicolò! It's great to have OWASP dependency check handled for all
> active branches.
>
> -Lari
>
> On Wed, Dec 22, 2021 at 5:05 PM Nicolò Boschi <bo...@gmail.com> wrote:
>
> > Hello everyone,
> >
> > I created a couple of pull requests in order to run a periodic check on
> > Pulsar active branches. In this way we can proactively update dependencies
> > whenever is needed (for fixing CVE's purpose)
> >
> > The first one [0] is to make the check pass on branch-2.8
> > The second one [1] is to make the check pass on master and branch-2.9
> > The third one [2] is to make the periodic job running against master,
> > branch-2.8 and branch-2.9.
> >
> > We also have to port this PR [3] to branch-2.9
> >
> > I left out 2.7 branch because I have the impression (please confirm it) we
> > are no longer cherry-picking dependency upgrades. Also the check doesn't
> > exist at all in that branch.
> >
> > Let me know what you think.
> >
> > Thanks,
> > Nicolò Boschi
> >
> > [0] https://github.com/apache/pulsar/pull/13455
> > [1] https://github.com/apache/pulsar/pull/13451
> > [2] https://github.com/apache/pulsar/pull/13366
> > [3] https://github.com/apache/pulsar/pull/13364
> >