+1 On Mon, May 17, 2021, 6:21 AM Martin Tzvetanov Grigorov < [email protected]> wrote:
> Hi, > > +1 > > Regards, > Martin > > On 2021/05/16 14:40:46, Charles Givre <[email protected]> wrote: > > Hello all, > > I'd like to propose adding Dependabot to our commit process. If you > aren't familiar with Dependabot, it scans dependencies and alerts you to > dependencies that have vulnerabilities. I ran dependabot on Drill's > source, and found several rather serious CVEs associated with dependencies, > hence the PRs to update Guava, JUnit, and a few others. > > > > I know that these automated code quality tests aren't always the best in > terms of producing false positives, but I do think it is in general a good > thing to at least be aware of these kinds of issues so that we can resolve > them if they are deemed worthy. > > > > So... I'd like to call a vote. Would you like to add dependabot to > Drill's github repo? Please vote yes or no by Thursday. > > > > Thanks and Keep on Drilling! > > -- C > > > > >
