GitHub has a feature to report security vulnerabilities in dependencies: https://help.github.com/en/articles/about-security-alerts-for-vulnerable-dependencies <https://help.github.com/en/articles/about-security-alerts-for-vulnerable-dependencies> https://help.github.com/en/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository <https://help.github.com/en/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository>
A few of the Apache projects are using this GitHub feature to send alerts to the project committers. For example: SIS: https://issues.apache.org/jira/browse/INFRA-18087 <https://issues.apache.org/jira/browse/INFRA-18087> Airflow: https://issues.apache.org/jira/browse/INFRA-17470 <https://issues.apache.org/jira/browse/INFRA-17470> What do folks think about enabling GitHub security alerts for Druid committers? I think it’ll help us to proactively fix security vulnerabilities before they’re reported by users (e.g., https://github.com/apache/incubator-druid/issues/8432 <https://github.com/apache/incubator-druid/issues/8432>). Thanks, Chi
