cosmos
Improve dependency review action or bump pseudo version on main
Context
The main SDK module has a pseudo version formed as v0.46.0-beta2-XXXX.
We use the dependency review action from GitHub (https://github.com/actions/dependency-review-action), as a required job to alert us when we introduce a dependency with a vulnerability or if there is a vulnerable dependency in the repo.
Problem
The SDK had recently (low and medium severity) vulnerabilities affecting the v0.46.x versions, and advisories have been submitted. This means the dependency action from GitHub can now catch it, and because the job is required this blocks any merge of PR including these dependencies, even tough the pseudo version from main is not vulnerable. The current workaround is to simply skip failing the job for low and medium severity: https://github.com/cosmos/cosmos-sdk/blob/dba2123ce39403e13ae0bdea2ac53d8bcc740696/.github/workflows/dependencies-review.yml#L24 However, this is not optimal.
Solution
- We should submit a PR to https://github.com/actions/dependency-review-action for skipping certain dependency (we can then skip the cosmos/cosmos-sdk package in our repository)
- Or, we need to figure out how to change the base version of our pseudo version from main (however, this may simply push the problem further).
Personal preference for option 1 as we can work on it directly. One way to always have pseudo version increasing is we tag the first alpha for a new release from main. This should not be problematic as the first alpha is basically a snapshot of main in a release branch. One drawback is then it isn't clear whether the pseudo version comes from the release branch or from main.