Pankraz76 commented on code in PR #20364:
URL: https://github.com/apache/kafka/pull/20364#discussion_r2280960370
##########
build.gradle:
##########
@@ -33,7 +34,7 @@ plugins {
id 'idea'
id 'jacoco'
id 'java-library'
- id 'org.owasp.dependencycheck' version '8.2.1'
Review Comment:
**Surprisingly, there were zero vulnerabilities found**, which is a good
thing. This offers a great opportunity to **keep it that way** by running the
`dependencyCheckAnalyze` goal.
I was surprised not to find this in the codebase—it should ideally be called
in a **CI quality gate** to ensure security.
Additionally, **not updating this plugin introduces its own risk**, as this
plugin is **critical**. I was considering implementing it but was surprised to
find it seemingly **abandoned and not updated**.
**What’s going on with Dependabot here?** This seems like an issue—why isn’t
it keeping dependencies up to date?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
