naveensrinivasan commented on PR #352: URL: https://github.com/apache/commons-io/pull/352#issuecomment-1110955220
> I'm not sure if this is necessary. I think 99.9999% of our pull requests won't have a dependency, since Commons components try to have as little dependencies as possible. So, assuming we rarely have dependency being added, I think not having this extra GH Action workflow simplifies maintenance for us, but also means one less place to look for possible security vectors (i.e. if `actions/dependency-review-action` had a CVE, it wouldn't impact us). > > So I'm -0 on this one, unless others prefer to scan, maybe, test dependencies being added like JUnit extensions, or maybe Maven plug-ins? OK, I understand. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@commons.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
