Currently, dependency-submission would submit all dependencies to
https://github.com/apache/pekko/security/dependabot , including
test dependencies. We then added explicit dependencies to the build
to squash warnings about outdated test dependencies (#1181, #1313
and #1344).
With version 3, sbt-dependency-submission now supports ignoring
scopes. This PR proposes to ignore the test scope, and remove the
explicit dependencies from the build.
Of course, we want our developers to be secure as much as our users.
From that perspective you could say we'd want to remove 'insecure'
dependencies even from the test scope. In practice, however, I think
it's really unlikely that a vulnerability in a test scope dependency
would lead to a realistic attack on a developer. For that reason, I
think ignoring this scope for dependency-submission and keeping the
old dependencies in the build removes some development friction, which
balances out the risk of testing with outdated dependencies. If there'd
be a 'malicious' dependency out there, I expect we'd learn about it
through other channels.
* Revert "revert #1568 due to test failures (#1587)"
This reverts commit 7af03e5215.
* temp run nightly test in this PR
* no need for square brackets because the set print adds them
* logging to find issue
* support tcp protocols
* Update ClusterDaemon.scala
* remove temp logging
* try to fix issue in Remoting
* extra tests
* more tests
* ignore udp tests
* try to make tests tidy up after failures
* Update MixedProtocolClusterSpec.scala
* Update MixedProtocolClusterSpec.scala
* run main cluster tests for PR
* Update sbt to 1.10.0
* chore: Use `;` to separate commands
---------
Co-authored-by: scala-steward-asf[bot] <147768647+scala-steward-asf[bot]@users.noreply.github.com>
Co-authored-by: He-Pin <hepin1989@gmail.com>
* Capture build scans on ge.apache.org to benefit from deep build insights (#1)
* Add Develocity plugin and configure it to publish to Apache Develocity instance
* Add Develocity access token to CI jobs
* Use convention plugin to configure Develocity
* Add opt-in property
* Revert "Add opt-in property"
This reverts commit ff556b9764fd6b980b24082a3195ba3fbd22faf6.
* Improve variable name
* Use upper case i in CI abbreviation
* using dependency walking to check JDK9 works
* rollback constant extract
* code format and header format
* improve code
* fix code
* add CI action
* apply for all JDK9 package module
* update ci
* Using plugin rather than code
Signed-off-by: Andy.Chen <iRoiocam@gmail.com>
---------
Signed-off-by: Andy.Chen <iRoiocam@gmail.com>
