+1 from 阿里邮箱 macOS------------------------------------------------------------------ 发件人:Ankush Kapur<ankush.ka...@gmail.com> 日 期:2021年05月17日 19:38:27 收件人:<dev@drill.apache.org> 主 题:Re: [VOTE] Add Dependabot to Drill
+1 On Mon, May 17, 2021, 6:21 AM Martin Tzvetanov Grigorov < mgrigo...@apache.org> wrote: > Hi, > > +1 > > Regards, > Martin > > On 2021/05/16 14:40:46, Charles Givre <cgi...@gmail.com> wrote: > > Hello all, > > I'd like to propose adding Dependabot to our commit process. If you > aren't familiar with Dependabot, it scans dependencies and alerts you to > dependencies that have vulnerabilities. I ran dependabot on Drill's > source, and found several rather serious CVEs associated with dependencies, > hence the PRs to update Guava, JUnit, and a few others. > > > > I know that these automated code quality tests aren't always the best in > terms of producing false positives, but I do think it is in general a good > thing to at least be aware of these kinds of issues so that we can resolve > them if they are deemed worthy. > > > > So... I'd like to call a vote. Would you like to add dependabot to > Drill's github repo? Please vote yes or no by Thursday. > > > > Thanks and Keep on Drilling! > > -- C > > > > >