Yicong-Huang opened a new issue, #6162: URL: https://github.com/apache/texera/issues/6162
### Task Summary Dependabot alerts currently cover only the npm and pip manifests; sbt dependencies are invisible because GitHub cannot parse `build.sbt`. The recent jackson-databind CVE batch (fixed in #6152) never appeared in the security tab and was caught by hand. Add a `dependency-graph.yml` workflow that runs [scalacenter/sbt-dependency-submission](https://github.com/scalacenter/sbt-dependency-submission) on pushes to `main`, submitting the resolved sbt dependency graph (all modules, transitive included) via the Dependency Submission API. After that, Scala dependencies (Jackson, Pekko, …) get Dependabot alerts like npm/pip. The action is SHA-pinned per the ASF GitHub Actions policy and is already used by apache/pekko (and 7 other ASF repos). Dependabot version-update / security-update PRs are out of scope here. ### Task Type - [ ] Refactor / Cleanup - [x] DevOps / Deployment / CI - [ ] Testing / QA - [ ] Documentation - [ ] Performance - [ ] Other -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
