Security Audit - Outdated dependencies

[embano1]

After reviewing the recent security audit I was wondering whether we should enable Github Dependabot for this repo to automatically bump deps.

cc/ @duglin @lionelvillard

[duglin]

yep - just need to find the time :-)

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity. Mark as fresh by updating e.g., adding the comment /remove-lifecycle stale.

[YohanSciubukgian]

As CloudEvents provide SDKs with out of the box integration with 3rd party libraries, could we add either dependabot or renovate for managing all dependencies for all CloudEvents repositories?

For example, on the JAVA-SDK repository, the latest SDK update is from May 15, 2023 and the following packages have known vulnerabilities on 3rd party dependencies:

• https://mvnrepository.com/artifact/io.cloudevents/cloudevents-protobuf/2.5.0
• https://mvnrepository.com/artifact/io.cloudevents/cloudevents-json-jackson/2.5.0
• https://mvnrepository.com/artifact/io.cloudevents/cloudevents-kafka/2.5.0
• https://mvnrepository.com/artifact/io.cloudevents/cloudevents-spring/2.5.0
• etc.

[embano1]

Yes, we use Dependabot in the sdk-go repo. Want to file a PR? Not sure how much work is involved though to integrate with Maven (security keys to push).

[github-actions[bot]]

This issue is stale because it has been open for 30 days with no activity. Mark as fresh by updating e.g., adding the comment /remove-lifecycle stale.