rmuir commented on issue #15114: URL: https://github.com/apache/lucene/issues/15114#issuecomment-3215921173
It is outdated by dependabot for the `main` branch. We have a bot that tells us what is out of date: https://github.com/apache/lucene/pulls?q=is%3Apr+is%3Aopen+dependabot If we want to improve dependency analysis, IMO a better path would be to look into "dependency submission API" so that github's dependency graph knows about all of our dependencies. Currently it doesn't know the java/gradle ones without us submitting the data (maybe there's a simple gradle plugin for that?), it only knows about `pip` and `actions` ecosystems: https://github.com/apache/lucene/network/dependencies Anyway its just an idea, we could make another issue for that and maybe someone wants to take it on. personally i have not tackled the dependency submission API with github yet, but if we fixed this then we'd have more security features from github working for us. Its pretty cool: it really does work as a "graph", with alerts on your transitive deps that make sense, SBOM generation, etc. And a warning: maybe in the future Github improves their gradle processing to just "work", like it does for pip and actions, without any effort on our part. Then we'd avoid any dependency submission logic. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
