Skip to content

Automated review of dependencies with few maintainers aka "Bernies" #1235

Description

@sbp

Some of ATR's dependencies have few maintainers or very slow release cycles. These dependencies are most at risk of social engineering attacks, and such attack would be far less likely to be discovered than attacks on dependencies with many maintainers and users. We should add some automated review pipelines, in addition to doing manual review on upgrades.

Metadata

Metadata

Labels

deep knowledgeThis issue requires deep knowledge of the codebase to perform. Core developers only.gh-helperTriaged by `gh-helper` https://github.com/apache/tooling-agents/blob/main/gh-helper/README.mdpriorityNot critical, but should be addressed soonsecurityIssues related to security posture

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions