Hello, As a final step in the series of PRs to upgrade old dependencies with various CVEs (by Nicolo and I) I added a PR that introduces extra check on pom.xml files changes: it will run OWASP dependency check and fail if any CVE level >= 7 is detected.
Please review this PR https://github.com/apache/pulsar/pull/13972 an one more pending fix from Nicolo: https://github.com/apache/pulsar/pull/13943 There is an existing workflow that runs daily but it has limited visibility at the moment: https://github.com/apache/pulsar/actions/workflows/ci-owasp-dependency-check.yaml As a next step we can work on making it email the dev list when it fails but the check on PR when pom files change will be more immediately visible. Similar changes are pending for BookKeeper. -- Andrey Yegorov
