forked from quickwit-oss/quickwit
-
Notifications
You must be signed in to change notification settings - Fork 0
30 lines (27 loc) · 1.64 KB
/
Copy pathdependency.yml
File metadata and controls
30 lines (27 loc) · 1.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
name: "Dependency Review"
on: [pull_request]
permissions:
contents: read
# Ensures that we cancel running jobs for the same PR / same workflow.
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: "Checkout Repository"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: "Dependency Review"
uses: actions/dependency-review-action@f5b971718edcbb31275a1db40004592335c0e031 # v4.8.1
with:
# GHSA-c38w-74pg-36hr, GHSA-4grx-2x9w-596c: minor vuln on the rsa crate, used for google storage.
# GHSA-cq8v-f236-94qc: rand 0.8.6 unsound with custom logger + rand::rng(), not affected (log feature disabled, transitive dep from fail/sqlx).
# GHSA-2f9f-gq7v-9h6m: thrift 0.17 excessive-allocation on untrusted input. Already a transitive
# dep via parquet on main; PR-4 (streaming Parquet reader) adds it as a direct dep for
# `parquet::format::PageHeader::read_from_in_protocol`. Inputs are parquet files we wrote to
# our own object store (trusted source). Defense-in-depth: the streaming reader caps each
# Thrift parse buffer at `max_page_header_bytes` (1 MiB default) BEFORE handing bytes to
# thrift, so the outer buffer thrift can read from is bounded regardless of any inner
# length prefix. No newer thrift release fixes this — 0.17.0 is the latest on crates.io.
allow-ghsas: GHSA-c38w-74pg-36hr,GHSA-4grx-2x9w-596c,GHSA-cq8v-f236-94qc,GHSA-2f9f-gq7v-9h6m