In many cases, updating the packages is as trivial as clicking on the
"Create Dependabot  security update" button in the "Dependabot alerts" tab (
https://github.com/apache/hadoop/security/dependabot?q=is%3Aopen+ecosystem%3Anpm).
(Link accessible only for Hadoop committers)

Some commits generated by dependabot do not have associated JIRA issues
as I can see from `git log`.
I prefer creating JIRA issues for links and
"Fix Version/s" fields for including the changes to CHANGELOGS.

Do you think it is OK if I file associated JIRAs of dependabot PRs
then merge them based on my review (without +1 of another committer)?

Thanks,
Masatake Iwasaki

On 2022/03/03 16:58, Wei-Chiu Chuang wrote:
Hello,

Hadoop YARN has extensive use of npm packages. Many of the packages are
outdated and even are associated with known CVEs.

In many cases, updating the packages is as trivial as clicking on the
"Create Dependabot  security update" button in the "Dependabot alerts" tab (
https://github.com/apache/hadoop/security/dependabot?q=is%3Aopen+ecosystem%3Anpm).
(Link accessible only for Hadoop committers)

Given the number of outstanding alerts, I'd like to call for volunteers to
go through these alerts and validate the change made by the Dependabot. If
we have enough people performing this task we can quickly make Hadoop safer.

Regards,
Weichiu


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to