Billy Lynch

> What is the best way to handle these vulnerabilities on a regular basis without keeping us vulnerable? We can set up a dependabot config for this - it acts...

Is third_party used anywhere outside of kodata? (basic code search says no) IIRC, this was originally set up for license compliance as a safety net for source distribution in case...

/cc @lbernick for https://github.com/tektoncd/pipeline/pull/6342 /cc @EmmaMunley for https://github.com/tektoncd/pipeline/issues/6352

@pritidesai Not quite following, can you explain a bit more? > Wouldn't that cause a bigger issue instead if we rely on a dependency repo which is deleted so carry...

Follow up before anyone panics: **there is no indication that Pipelines contains AGPL or other copyleft code**. Talked with @pritidesai: A false positive was generated by https://github.com/CycloneDX/license-scanner because it's picking...

@afrittoli - Yes, projects that use the default plumbing template will run [`go-licenses check`](https://github.com/tektoncd/plumbing/blob/c6cc7570d1254ac6796b08f20adcaf10a80d38a4/scripts/library.sh#L307) as part of presubmit.

> MPL-2.0 license text has a list of secondary licenses: > > ``` > 1.12. "Secondary License" > means either the GNU General Public License, Version 2.0, the GNU >...

Makes sense! Maybe we should consider changing the default shell? 🤔 Looks like the error message is a bit better for bash: ```sh $ cat script.sh #!/usr/bin/doesnotexist sh echo 'hello!'...

/kind misc

> Cool! So the images are created and hosted by chainguard? Yep! https://edu.chainguard.dev/chainguard/chainguard-images/overview/ for more details. > How do they fix those vulberabilities? Magic 🧙 (really a lot of hard...