apex-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vlad Rozov <vro...@apache.org>
Subject Re: checking dependencies for known vulnerabilities
Date Fri, 08 Sep 2017 22:51:40 GMT
+1 that PR with newly introduced vulnerability should not be merged. 
Actually, my preference will be that such PR should not be even open.

Thank you,


On 9/8/17 15:44, Thomas Weise wrote:
> On Fri, Sep 8, 2017 at 3:36 PM, Pramod Immaneni <pramod@datatorrent.com>
> wrote:
>> Though I like the functionality of being able to detect if a new dependency
>> being added has vulnerabilities and prompting the search for a better
>> version, I am wary of tying a build strongly to vulnerability detection
>> i.e., the build failing when vulnerabilities are discovered in
>> dependencies. This immediately blocks our project till those
>> vulnerabilities are addressed as nothing can go in because builds are
>> failing. If details are suppressed and we have a summary warning but not
>> fail the build, that should be ok.
> I think that if a new problem is introduced, then it should be discovered
> in the CI and the PR that causes it not be merged until it is addressed.

View raw message