On Fri, Sep 8, 2017 at 3:36 PM, Pramod Immaneni <pra...@datatorrent.com> wrote:
> Though I like the functionality of being able to detect if a new dependency > being added has vulnerabilities and prompting the search for a better > version, I am wary of tying a build strongly to vulnerability detection > i.e., the build failing when vulnerabilities are discovered in > dependencies. This immediately blocks our project till those > vulnerabilities are addressed as nothing can go in because builds are > failing. If details are suppressed and we have a summary warning but not > fail the build, that should be ok. > > I think that if a new problem is introduced, then it should be discovered in the CI and the PR that causes it not be merged until it is addressed.
