Submit dependabot dependency graph to Github #366
Conversation
mdedetrich
requested review from
jrudolph,
gmethvin,
He-Pin,
nvollmar,
seglo and
pjfanning
|
@pjfanning The PR has been approved but I will wait for your approval incase you have any comments |
(this page is only visible if you have permissions for that repo) |
Ah thanks. Let me see if INFRA is able to help out here. |
mdedetrich
force-pushed
the
submit-dependabot-dependency-graph
branch
from
fa38835 to
713604d
Compare
Thanks, it seems like |
mdedetrich
force-pushed
the
submit-dependabot-dependency-graph
branch
from
713604d to
632a2f5
Compare
|
I am going to merge the PR fow now so we can see if there are any potential issues before release, can always revert if there is a problem./ |
|
We have 100% false negatives in https://github.com/apache/incubator-pekko/security/dependabot. Not one of the jackson-databind is applicable. It appears that whatever is going, dependabot is not aware that we are using jackson 2.14.3. All the issues that dependabot highlights are fixed in that version. Some alerts relate to org.codehaus.jackson:jackson-mapper-asl but |
Looking into this now, seems to only be happening with Pekko. Under the hood the workflow is an sbt plugin that resolves the dependency graph so it must be doing something odd. |
|
Issue made at #376 |
This PR uses scala centers official integration of sbt with github's dependabot (see https://github.com/scalacenter/sbt-dependency-submission) to submit any potential security vulnerabilities. This is a more practical solution compared to #289 especially in regards to getting it ready for release candidate.
https://github.com/aiven/guardian-for-apache-kafka/security/dependabot is a nice demonstration of what it looks like when it finds security vulnerabilities.