Process change: Do not require multiple CSP approval for CVE issues that result in version bump for common dependencies

Currently any MR that results in changes to common code requires approval from multiple CSPs. This can result in MRs taking a week or longer. This is ok for most cases.

However some changes related to publicly known (e.g. CVE) security issues that require a common dependency version increase also require the same approval. This is unnecessarily burdensome on the committer trying to chase multiple CSP approval when a CVE fix is often applied to multiple services.

This has resulted in delays to critical and major security issues e.g.

osdu/platform/system/reference/unit-service!79 (merged)

The suggestion is to have a standard tagging on MRs that are only related to security vulnerabilities where the fix is increasing dependency version

e.g. a tag could be in the MR title [CVE-2020-8908][CVE-2021-21295]

These MRs should not require approval from multiple CSPs as long as the pipelines for the CSPs are passing ie they can be approved by a maintainers from a single CSP.

Edited May 27, 2021 by ashley kelham

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information