I’ve modified just the first sentence, to: Dependencies expose the project to ongoing audit and maintenance burdens, and security risks. We wish to minimise our declared and transitive dependencies and to standardise mechanisms and solutions in the codebase. Adding new dependencies requires community consensus via a [DISCUSS] thread on the dev@cassandra.apache.org<mailto:dev@cassandra.apache.org> mailing list.
Since it’s not only security risks we care about. But really this is all nitpicking. From: Mick Semb Wever <m...@apache.org> Date: Wednesday, 1 June 2022 at 10:51 To: dev@cassandra.apache.org <dev@cassandra.apache.org> Subject: Re: Updating our Code Contribution/Style Guide On Mon, 30 May 2022 at 22:37, Ekaterina Dimitrova <e.dimitr...@gmail.com<mailto:e.dimitr...@gmail.com>> wrote: I also like it, thank you for putting it together. We can always add more and more, but I think the current one is already quite extensive. I like the dependency management point. The dependency management paragraph, no objections, but the wording can be shortened… For example, Dependencies to the project are difficult to maintain over time and expose security flaws that are difficult for us to continuously audit. We wish to minimise our declared and transitive dependencies and to standardise mechanisms and solutions in the codebase. Adding new dependencies requires community consensus via a [DISCUSS] thread on the dev@cassandra.apache.org<mailto:dev@cassandra.apache.org> mailing list.
