The GitHub Actions job "Generate doc check" on pekko.git has failed. Run started by GitHub user raboof (triggered by raboof).
Head commit for run: fbd6ea3ba208cf100990049fe396959a3cc7fb03 / Arnout Engelen <arn...@bzzt.net> chore: dependency-submission: skip test scope Currently, dependency-submission would submit all dependencies to https://github.com/apache/pekko/security/dependabot , including test dependencies. We then added explicit dependencies to the build to squash warnings about outdated test dependencies (#1181, #1313 and #1344). With version 3, sbt-dependency-submission now supports ignoring scopes. This PR proposes to ignore the test scope, and remove the explicit dependencies from the build. Of course, we want our developers to be secure as much as our users. >From that perspective you could say we'd want to remove 'insecure' dependencies even from the test scope. In practice, however, I think it's really unlikely that a vulnerability in a test scope dependency would lead to a realistic attack on a developer. For that reason, I think ignoring this scope for dependency-submission and keeping the old dependencies in the build removes some development friction, which balances out the risk of testing with outdated dependencies. If there'd be a 'malicious' dependency out there, I expect we'd learn about it through other channels. (do we need to request sbt-dependency-submission@v3 to be whitelisted at Infra?) Report URL: https://github.com/apache/pekko/actions/runs/10262128121 With regards, GitHub Actions via GitBox --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@pekko.apache.org For additional commands, e-mail: notifications-h...@pekko.apache.org
