[
https://issues.apache.org/jira/browse/CALCITE-7260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18034867#comment-18034867
]
Vladimir Sitnikov commented on CALCITE-7260:
--------------------------------------------
Thanks for the feedback. To minimize burden while still getting value, I
propose we enable dependency submission on push to main.
* It only updates the dependency graph (no emails, no bot PRs).
* We’ll add a short note in SECURITY.md and/or release instructions that alerts
are informational and not a release blocker unless a CVE clearly affects
runtime artifacts.
* This lets us surface issues early so version bumps happen gradually in normal
PRs, rather than a risky sweep right before a release.
If you still think there will be noise (I just don't see what could be the
noise unless one specifically opens the webpage), feel free to close the issue.
> Add gradle/actions/dependency-submission GitHub action to track vulnerable
> dependencies
> ---------------------------------------------------------------------------------------
>
> Key: CALCITE-7260
> URL: https://issues.apache.org/jira/browse/CALCITE-7260
> Project: Calcite
> Issue Type: Improvement
> Reporter: Vladimir Sitnikov
> Priority: Major
>
> dependency-submission enables GitHub track all the used dependencies and show
> CVE alerts via https://github.com/apache/calcite/security/dependabot
> It would track both runtime, test, build-time, and even build-script
> dependencies which is the right thing from my point of view.
> See
> https://github.com/actions/gradle-build-tools-actions?tab=readme-ov-file#the-dependency-submission-action
> See
> https://github.com/apache/jmeter/blob/2c17f5d2b6b0fa7e0f69dbd56785386a785c8745/.github/workflows/gradle-dependency-submit.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
