Commits on Aug 6, 2024

1. chore: dependency-submission: skip test scope …

   Currently, dependency-submission would submit all dependencies to
   https://github.com/apache/pekko/security/dependabot , including
   test dependencies. We then added explicit dependencies to the build
   to squash warnings about outdated test dependencies (apache#1181, apache#1313
   and apache#1344).
   
   With version 3, sbt-dependency-submission now supports ignoring
   scopes. This PR proposes to ignore the test scope, and remove the
   explicit dependencies from the build.
   
   Of course, we want our developers to be secure as much as our users.
   From that perspective you could say we'd want to remove 'insecure'
   dependencies even from the test scope. In practice, however, I think
   it's really unlikely that a vulnerability in a test scope dependency
   would lead to a realistic attack on a developer. For that reason, I
   think ignoring this scope for dependency-submission and keeping the
   old dependencies in the build removes some development friction, which
   balances out the risk of testing with outdated dependencies. If there'd
   be a 'malicious' dependency out there, I expect we'd learn about it
   through other channels.
   
   (do we need to request sbt-dependency-submission@v3 to be whitelisted
   at Infra?)

   

   raboof committed Aug 6, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 40cd9f0
   • Browse repository at this point

   Copy the full SHA

   40cd9f0 View commit details

   Browse the repository at this point in the history