I don’t see an obvious upgrade path to ameliorate these docs/* “security” problems (I upped all the versions I could in package.json with no useful effect), but:
- I’ve been planning on completely eliminating all the copying with the gulp file (where the dependencies come from) and having Antora find the originals instead. This is going to require a camel-specific Antora extension (first one!) but should not be terribly difficult. We then wouldn’t have a yarn.lock :-) This may take a while. - I don’t think there’s actually any security risk to running a script to symlink some files in the git repo, and committing the result. I’d appreciate Zoran’s perspective, I am by no means a security expert. David Jencks > On Feb 3, 2022, at 1:23 PM, Claus Ibsen <claus.ib...@gmail.com> wrote: > > Hi > > The most of the remainder alerts are in the docs folder about yarn. > > Wonder if David or Zoran would take a look? > > On Thu, Feb 3, 2022 at 1:02 PM Colm O hEigeartaigh <cohei...@apache.org> > wrote: >> >> Hi, >> >> I've worked with INFRA to enable GitHub dependabot alerts for various >> Apache projects. The idea is that the GitHub committers for a given >> project can have access to the page on GitHub (for example for CXF: >> https://github.com/apache/cxf/security/dependabot) which shows the >> list of dependencies for the project with known CVEs. >> >> I plan to do the same for Camel on these repos: >> >> https://github.com/apache/camel >> https://github.com/apache/camel-karaf >> https://github.com/apache/camel-quarkus >> https://github.com/apache/camel-spring-boot >> >> Any objections or anything I'm missing? If not I'll proceed with enabling it. >> >> Colm. > > > > -- > Claus Ibsen > ----------------- > http://davsclaus.com @davsclaus > Camel in Action 2: https://www.manning.com/ibsen2
