One critical feature is that dependabot does all the builds for you on GitHub Actions, this is an enormous time and resource saver!
Gary On Wed, Dec 29, 2021, 08:51 Rob Tompkins <chtom...@gmail.com> wrote: > > > > On Dec 29, 2021, at 8:45 AM, Romain Manni-Bucau <rmannibu...@gmail.com> > wrote: > > > > @Rob: dependabot is mainly about dependencies upgrades and it is also > why > > it is so chatty and has so much false positives. > > Yes, I am well aware. But I do not see how a robot telling you to simply > upgrade is a problem? > > Maybe I’m missing something but my impression is that’s what dependabot > does right? Tell you you need to upgrade? > > -Rob > > > If you want to focus on > > CVE then setting up on the CI > > https://sonatype.github.io/ossindex-maven/maven-plugin/ is way more > > efficient and accurate (basically when it fails you must act) so > dependabot > > is a great reporting tool for managers but not to work on an everyday > basis > > IMHO until it is very finely configure but commons is far to need so much > > investment since there already have solutions for everything needed IMHO. > > > > Romain Manni-Bucau > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > <https://rmannibucau.metawerx.net/> | Old Blog > > <http://rmannibucau.wordpress.com> | Github < > https://github.com/rmannibucau> | > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > > < > https://www.packtpub.com/application-development/java-ee-8-high-performance > > > > > > > >> Le mer. 29 déc. 2021 à 14:39, Rob Tompkins <chtom...@gmail.com> a > écrit : > >> > >> Guys. I think dependabot is our greatest advantage in the work against > >> security problems. I know she has her failings and is chatty. But, I > think > >> we should open a line of thinking about how best she can help. > >> > >> The reason she’s a pain in the ass is that we don’t have enough hands on > >> the project making it better. I know I would help more, but I have to > keep > >> up with my father who’s a quadriplegic as well as a currently failing > >> marriage. > >> > >> The answer is that we need more hands on the project. I wish I could be > >> those hands but time and priorities keep me chained. > >> > >> Cheers, > >> -Rob > >> > >>> On Dec 29, 2021, at 8:26 AM, Gilles Sadowski <gillese...@gmail.com> > >> wrote: > >>> > >>> Le mer. 29 déc. 2021 à 12:18, Thomas Vandahl <t...@apache.org> a écrit > : > >>>> > >>>> +1 > >>>> Thank you, Phil. This thing is a P.I.T.A. > >>> > >>> In effect, from day one: > >>> https://markmail.org/message/2vutc4p3b3eqv73f > >>> > >>> Basically, the argument is that > >>> * the (dependabot) feature is too important to be disabled > >>> * the annoyed people should filter out those mails (which I > >>> did since no one at the time supported that they be diverted > >>> to another ML). > >>> Did anything change since then? > >>> [Or do we eventually question the general anomaly that code > >>> discussions have been almost completely off-loaded to GH?] > >>> > >>> Gilles > >>> > >>>> > >>>>>> Am 28.12.2021 um 19:20 schrieb Phil Steitz <phil.ste...@gmail.com>: > >>>>> > >>>>> I can no longer effectively monitor commits@ due to the spam > >> generated by this tool. I am afraid my eyeballs aren't the only ones > going > >> missing here and that is a problem much more severe than any value > provided > >> by this tool, IMO. > >>>>> > >>>>> Phil > >>>> > >>>> Bye, Thomas > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >>> For additional commands, e-mail: dev-h...@commons.apache.org > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >> For additional commands, e-mail: dev-h...@commons.apache.org > >> > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
