[
https://issues.apache.org/jira/browse/CALCITE-7260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18034807#comment-18034807
]
Julian Hyde commented on CALCITE-7260:
--------------------------------------
It might be the 'right thing' but unless someone is assigned to stay on top of
these warnings it will just be irritating noise. Calcite devs are all
volunteers.
Preferable would be a step that can be performed before each release.
> Add gradle/actions/dependency-submission GitHub action to track vulnerable
> dependencies
> ---------------------------------------------------------------------------------------
>
> Key: CALCITE-7260
> URL: https://issues.apache.org/jira/browse/CALCITE-7260
> Project: Calcite
> Issue Type: Improvement
> Reporter: Vladimir Sitnikov
> Priority: Major
>
> dependency-submission enables GitHub track all the used dependencies and show
> CVE alerts via https://github.com/apache/calcite/security/dependabot
> It would track both runtime, test, build-time, and even build-script
> dependencies which is the right thing from my point of view.
> See
> https://github.com/actions/gradle-build-tools-actions?tab=readme-ov-file#the-dependency-submission-action
> See
> https://github.com/apache/jmeter/blob/2c17f5d2b6b0fa7e0f69dbd56785386a785c8745/.github/workflows/gradle-dependency-submit.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
