devopsmatt
commented
7 hours ago @arnejduranovic @victor-chaparro FYI - will need your input here. I'll set up a meeting to discuss
Open devopsmatt opened 6 days ago
devopsmatt
commented
7 hours ago @arnejduranovic @victor-chaparro FYI - will need your input here. I'll set up a meeting to discuss
Discuss how to keep up with Dependabot's recommendations around package updates, when versions are pinned. We need to understand when it is safe to allow merges of Dependabot PRs, without breaking the working code.
When Snyk findings bubble up, App teams owning the code will need to review the PR it creates and come up with path forward to resolve within the time window mandated to resolve security findings of corresponding severity. Backward compatibility vs updated and secure components/libraries.
DoD: Formal process and decision tree to determine how to proceed when security issues are found in app dependencies that are pinned to exploitable versions, that have been fixed in newer version.