raboof opened a new issue, #1553: URL: https://github.com/apache/pekko/issues/1553
our GitHub 'security' tab claims that we depend on a version of guava that is vulnerable to GHSA-mvr2-9pj6-7w5j . I think this is a false positive: I think this is the guava that comes in as a transitive dependency of leveldb, but this is an `optional;provided` dependency. This apparently ends up in the `compile-internal` and `optional` scopes. I think we should probably exclude the `compile-internal` and `optional` scopes, and use the dependabot security report for artifacts that actually come in as transitive dependencies for our users. The chance that an advisory for an optional/provided/test/built-time dependency actually impacts our build seems to small to justify the noise it adds. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@pekko.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@pekko.apache.org For additional commands, e-mail: notifications-h...@pekko.apache.org
