Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ongoing dependency evaluation #6820

Open
ThatsMrTalbot opened this issue Mar 6, 2024 · 2 comments
Open

Ongoing dependency evaluation #6820

ThatsMrTalbot opened this issue Mar 6, 2024 · 2 comments
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.

Comments

@ThatsMrTalbot
Copy link
Contributor

Is your feature request related to a problem? Please describe.

As a project we need to be consistently evaluating existing dependencies as well as new dependencies as they arise. This is part of being a mature project that needs to have strong security practices.

On top of this we need to ensure dependencies are kept up to date to ensure we have all security fixes from our dependencies.

Describe the solution you'd like

  • An additional PR check that evaluates dependencies using https://github.com/ossf/scorecard and blocks dependencies below a threshold
  • Automation to PR dependency updates (something like dependabot/renovate)
@cert-manager-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

@cert-manager-prow cert-manager-prow bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 4, 2024
@ThatsMrTalbot
Copy link
Contributor Author

/remove-lifecycle stale
/lifecycle frozen

@cert-manager-prow cert-manager-prow bot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 4, 2024
@inteon inteon added the priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. label Jul 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ThatsMrTalbot @inteon @cert-manager-bot