mistercrunch commented on PR #24491: URL: https://github.com/apache/superset/pull/24491#issuecomment-2300011330
> it must run on every pr as there can be vulnerabilities that are found later not when the dependency gets upgraded. So say if I open a super simple PR fixing a typo, it shouldn't be held back because a vulnerability was found in some package that's completely unrelated to my PR. If we run bandit on every PR it means all of the open PRs (say all 300+ of them open right now) would start failing CI for things totally out of knowledge and unrelated to those PRs. If/when fixed, all 300+ PRs now need to be rebased to pass the checks. I also don't think we want `master` to start failing randomly. That's why I'm suggesting a workflow on a schedule (say @daily) that notifies committers, but doesn't break PR or the builds on `master` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@superset.apache.org For additional commands, e-mail: notifications-h...@superset.apache.org
