mdedetrich commented on PR #366: URL: https://github.com/apache/incubator-pekko/pull/366#issuecomment-1582599745
> We have 100% false negatives in https://github.com/apache/incubator-pekko/security/dependabot. Not one of the jackson-databind is applicable. It appears that whatever is going, dependabot is not aware that we are using jackson 2.14.3. All the issues that dependabot highlights are fixed in that version. > > Some alerts relate to org.codehaus.jackson:jackson-mapper-asl but `sbt dependencyTree` does not show any such dependency. Looking into this now, seems to only be happening with Pekko. Under the hood the workflow is an sbt plugin that resolves the dependency graph so it must be doing something odd. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
