janhoy commented on PR #2880: URL: https://github.com/apache/solr/pull/2880#issuecomment-2491149013
> Are there any specific needs for how to treat security updates (dependencies with vulnerabilities)? We have not distinguished these before, and such CVEs are already public anyway. Curious what the commit message will look like, i.e. will it highlight that it is a security upgrade? Sometimes a vulnerable dependency makes Solr vulnerable, and sometimes that warrants a solr bugfix release. Committers should probably monitor dependabot security PRs and make such considerations on a day to day basis. Not sure if we need any extra processes for it. A bonus that we get a "security" label on those PRs! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
