You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/12/03 10:57:01 UTC

[GitHub] [pulsar] hpvd commented on issue #8701: push websocket

hpvd commented on issue #8701:
URL: https://github.com/apache/pulsar/issues/8701#issuecomment-737866945


   @codelipenghui of course one can check this versions manually but what do you think of making it an automated routine before every release?
   
   what would help (if not already used):
   
   1. enabling githubs alerts for vulnerable dependencies for pulsar see https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-alerts-for-vulnerable-dependencies
   
   -> if possible a bot automatically should open an issue to fix these findings
   
   2. since possible not all vulnerables are reported/found it may also be a idea  having a table of dependencies:
      - row 1: name of of dependency
      - row 2: versions of dependencies used in latest pulsar release e.g. see https://frontbackend.com/maven/artifact/org.apache.pulsar/pulsar/2.6.2
      - row 3: latest version of dependency available ( if hosted at github: acessible with github api)
   
   -> before every release one should look at this table and update all (most) depencies to their latest version (or note a hint why this is not possible at this time (e.g. incomaptible changes)
   -> of one could automate open update issues as well, but there these may be to frequent...
   
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org