Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: dependency-submission: skip test scope #1392

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Commits on Aug 6, 2024

  1. chore: dependency-submission: skip test scope

    Currently, dependency-submission would submit all dependencies to
    https://github.com/apache/pekko/security/dependabot , including
    test dependencies. We then added explicit dependencies to the build
    to squash warnings about outdated test dependencies (apache#1181, apache#1313
    and apache#1344).
    
    With version 3, sbt-dependency-submission now supports ignoring
    scopes. This PR proposes to ignore the test scope, and remove the
    explicit dependencies from the build.
    
    Of course, we want our developers to be secure as much as our users.
    From that perspective you could say we'd want to remove 'insecure'
    dependencies even from the test scope. In practice, however, I think
    it's really unlikely that a vulnerability in a test scope dependency
    would lead to a realistic attack on a developer. For that reason, I
    think ignoring this scope for dependency-submission and keeping the
    old dependencies in the build removes some development friction, which
    balances out the risk of testing with outdated dependencies. If there'd
    be a 'malicious' dependency out there, I expect we'd learn about it
    through other channels.
    
    (do we need to request sbt-dependency-submission@v3 to be whitelisted
    at Infra?)
    raboof committed Aug 6, 2024
    Configuration menu
    Copy the full SHA
    40cd9f0 View commit details
    Browse the repository at this point in the history