+1 that PR with newly introduced vulnerability should not be merged.
Actually, my preference will be that such PR should not be even open.
Thank you,
Vlad
On 9/8/17 15:44, Thomas Weise wrote:
On Fri, Sep 8, 2017 at 3:36 PM, Pramod Immaneni <pra...@datatorrent.com>
wrote:
Though I like the functionality of being able to detect if a new dependency
being added has vulnerabilities and prompting the search for a better
version, I am wary of tying a build strongly to vulnerability detection
i.e., the build failing when vulnerabilities are discovered in
dependencies. This immediately blocks our project till those
vulnerabilities are addressed as nothing can go in because builds are
failing. If details are suppressed and we have a summary warning but not
fail the build, that should be ok.
I think that if a new problem is introduced, then it should be discovered
in the CI and the PR that causes it not be merged until it is addressed.
