Please see my comments inline.
On 9/10/17 23:40, Priyanka Gugale wrote:
While all software/libraries are subject to insecure code and
vulnerabilities, all software vendors whether open or close source
hopefully try to make code more secure rather than insecure. If there is
an existing or newly introduced dependency with a critical security
issue, I don't see why Apex community wants to accept the high
probability of being exposed to a security exploit. The only reasonable
explanation for me is that the community members do not care about
overall project quality and care only for tasks/PRs assigned to them by
somebody else. I'll be glad to hear a different explanation for the
proposal not to penalize PRs that do not introduce new dependencies and
are affected by a newly found vulnerability in an existing dependency.
Will not we all be penalized later if we don't fix it?
+1. Equally applies to a newly introduced functionality and bug fixes.