Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: dependency-submission: skip test scope #1392

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

raboof
Copy link
Member

@raboof raboof commented Jul 10, 2024

Currently, dependency-submission would submit all dependencies to https://github.com/apache/pekko/security/dependabot , including test dependencies. We then added explicit dependencies to the build to squash warnings about outdated test dependencies (#1181, #1313 and #1344).

With version 3, sbt-dependency-submission now supports ignoring scopes. This PR proposes to ignore the test scope, and remove the explicit dependencies from the build.

Of course, we want our developers to be secure as much as our users. From that perspective you could say we'd want to remove 'insecure' dependencies even from the test scope. In practice, however, I think it's really unlikely that a vulnerability in a test scope dependency would lead to a realistic attack on a developer. For that reason, I think ignoring this scope for dependency-submission and keeping the old dependencies in the build removes some development friction, which balances out the risk of testing with outdated dependencies. If there'd be a 'malicious' dependency out there, I expect we'd learn about it through other channels.

(do we need to request sbt-dependency-submission@v3 to be whitelisted at Infra?)

Closes #1317

@pjfanning
Copy link
Contributor

It's hard to tell if the action will be pre-approved. I think the Infrastructure team wildcard the version but we'll only find out when we merge this.

@raboof raboof force-pushed the dependency-submission-skip-test branch from 0d7d96f to fbd6ea3 Compare August 6, 2024 07:23
@raboof
Copy link
Member Author

raboof commented Aug 6, 2024

(rebased to fix merge conflict)

Currently, dependency-submission would submit all dependencies to
https://github.com/apache/pekko/security/dependabot , including
test dependencies. We then added explicit dependencies to the build
to squash warnings about outdated test dependencies (apache#1181, apache#1313
and apache#1344).

With version 3, sbt-dependency-submission now supports ignoring
scopes. This PR proposes to ignore the test scope, and remove the
explicit dependencies from the build.

Of course, we want our developers to be secure as much as our users.
From that perspective you could say we'd want to remove 'insecure'
dependencies even from the test scope. In practice, however, I think
it's really unlikely that a vulnerability in a test scope dependency
would lead to a realistic attack on a developer. For that reason, I
think ignoring this scope for dependency-submission and keeping the
old dependencies in the build removes some development friction, which
balances out the risk of testing with outdated dependencies. If there'd
be a 'malicious' dependency out there, I expect we'd learn about it
through other channels.

(do we need to request sbt-dependency-submission@v3 to be whitelisted
at Infra?)
@raboof raboof force-pushed the dependency-submission-skip-test branch from fbd6ea3 to 40cd9f0 Compare August 6, 2024 07:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

review test dependency overrides associated with docker-java
2 participants