kevinjqliu commented on PR #16749: URL: https://github.com/apache/iceberg/pull/16749#issuecomment-4665910739
Thanks for fixing this, @nssalian. We might want to reconsider blocking PRs on CVE scan: https://github.com/apache/iceberg/blob/8d0aab70028a83f96e5034a4804e18d8c51b96a7/.github/workflows/cve-scan.yml#L155 The scan was originally added to prevent PRs from introducing new dependencies with active CVEs. But with the current behavior, if a new CVE is reported for an existing dependency, unrelated PRs can start failing as well. It might be better to make PR scans informational too, as long as the findings are surfaced clearly on the PR. That way, reviewers can distinguish between CVEs on existing dependencies and PRs that introduce new dependencies with active CVEs. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
