You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The "Run Rust audits" action has been failing for several weeks now. It currently reports 78 unvetted dependencies.
We should figure out a way to ensure that the vetted list is maintained, and that one or more maintainers "own" it in the sense of being notified about failures and driving the resolution of those failures.
#1246 and #1240 (comment) discuss switching the audit action to block PRs, but the latter rejects it on the basis that "We usually have non-maintainers contributing to the code base, and for the audits, we would like to keep them to just maintainers. Besides trusting audits from external people, we would also add an extra burden to someone submitting a PR." (Which I completely agree with.)
Can we find a happy medium?
The text was updated successfully, but these errors were encountered:
@michelleN I think we should add it to triage duty. We can always remove it if we find a different strategy, but we should probably prioritize taking steps in resolving audits
The "Run Rust audits" action has been failing for several weeks now. It currently reports 78 unvetted dependencies.
We should figure out a way to ensure that the vetted list is maintained, and that one or more maintainers "own" it in the sense of being notified about failures and driving the resolution of those failures.
#1246 and #1240 (comment) discuss switching the audit action to block PRs, but the latter rejects it on the basis that "We usually have non-maintainers contributing to the code base, and for the audits, we would like to keep them to just maintainers. Besides trusting audits from external people, we would also add an extra burden to someone submitting a PR." (Which I completely agree with.)
Can we find a happy medium?
The text was updated successfully, but these errors were encountered: