Yicong-Huang opened a new issue, #6162:
URL: https://github.com/apache/texera/issues/6162

   ### Task Summary
   
   Dependabot alerts currently cover only the npm and pip manifests; sbt 
dependencies are invisible because GitHub cannot parse `build.sbt`. The recent 
jackson-databind CVE batch (fixed in #6152) never appeared in the security tab 
and was caught by hand.
   
   Add a `dependency-graph.yml` workflow that runs 
[scalacenter/sbt-dependency-submission](https://github.com/scalacenter/sbt-dependency-submission)
 on pushes to `main`, submitting the resolved sbt dependency graph (all 
modules, transitive included) via the Dependency Submission API. After that, 
Scala dependencies (Jackson, Pekko, …) get Dependabot alerts like npm/pip.
   
   The action is SHA-pinned per the ASF GitHub Actions policy and is already 
used by apache/pekko (and 7 other ASF repos). Dependabot version-update / 
security-update PRs are out of scope here.
   
   ### Task Type
   
   - [ ] Refactor / Cleanup
   - [x] DevOps / Deployment / CI
   - [ ] Testing / QA
   - [ ] Documentation
   - [ ] Performance
   - [ ] Other


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to