Bump dependencies #2110
Bump dependencies #2110
Conversation
Signed-off-by: Chris (He/Him) <[email protected]>
Signed-off-by: Chris (He/Him) <[email protected]>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Bug: Security dependency review job removed from PR workflow
The pr-security job that runs actions/dependency-review-action with fail-on-severity: moderate has been removed from the PR workflow. This job scanned pull requests for vulnerable dependencies and blocked merging if moderate or higher severity vulnerabilities were detected. Removing this security gate without replacement could allow dependencies with known vulnerabilities to enter the codebase undetected. This appears unrelated to the stated PR goal of "Bump dependencies."
.github/workflows/pr-build.yml#L57-L58
atlan-java/.github/workflows/pr-build.yml
Lines 57 to 58 in 607553a
Signed-off-by: Chris (He/Him) <[email protected]>
Signed-off-by: Chris (He/Him) <[email protected]>
Signed-off-by: Chris (He/Him) <[email protected]>
There was a problem hiding this comment.
Bug: Removal of dependency security scanning workflow job
The pr-security job has been removed from the PR workflow. This job ran actions/dependency-review-action to scan for dependency vulnerabilities and fail on moderate or higher severity issues. Without this check, pull requests with vulnerable dependencies will no longer be blocked automatically, reducing the security posture of the CI pipeline. In a "Bump dependencies" PR, this removal seems unintentional or at least warrants explicit confirmation.
.github/workflows/pr-build.yml#L57-L58
atlan-java/.github/workflows/pr-build.yml
Lines 57 to 58 in c91079f
Signed-off-by: Chris (He/Him) <[email protected]>
There was a problem hiding this comment.
Bug: Security dependency review job removed during dependency update
The pr-security job that runs actions/dependency-review-action with fail-on-severity: moderate has been completely removed from the PR workflow. This job was responsible for scanning pull requests for dependencies with known security vulnerabilities. Removing this security check in a PR that bumps dependencies is concerning, as it eliminates the automated safety net that would catch vulnerable dependencies before they're merged. This may have been unintentional or done to bypass a vulnerability check for one of the newly bumped dependencies.
.github/workflows/pr-build.yml#L48-L58
atlan-java/.github/workflows/pr-build.yml
Lines 48 to 58 in 664f103
Note
Updates key dependency versions and removes the PR dependency review job from the CI workflow.
org.pkl-lang:org.pkl-lang.gradle.pluginto0.30.1inbuildSrc/build.gradle.kts.gradle/libs.versions.toml:elasticsearch→9.2.2,awssdk→2.40.1,pkl→0.30.1,rhino→1.8.1.pr-securityjob (dependency review viaactions/dependency-review-action) from.github/workflows/pr-build.yml.Written by Cursor Bugbot for commit 664f103. This will update automatically on new commits. Configure here.