Hi,
We will start getting dependabot PRs for our sling modules, for
instance
https://github.com/apache/sling-org-apache-sling-xss/pull/18
While I understand the reasoning behind this service, in Sling we have
long had a policy of depending on the lowest possible version of the
API, to ensure that our bundles are deployed in the widest possible
range of environments.
The situation is different for embedded bundles, but that is an edge
case compared to our regular usage of dependencies.
I suggest that we hold off merging these PRs for now, and if anyone
thinks otherwise we should discuss and potentially amend our practices.
Thanks,
Robert
--- Begin Message ---
Hi folks,
Infra is pleased to announce that GitHub’s Dependabot service has been approved
for use by ASF Legal and Infra, and is now enabled for all repos. Dependabot
will create PRs in your repo with recommended security updates for your
project. It is entirely up to the project to accept or reject these PRs.
Dependabot Alerts can also be configured per-project, but currently the
notifications go to Org Admins only. If your project wishes to receive
Dependabot Alerts via email, please open an Infra Jira ticket so that we can
add your committer team to the alerts.
-Chris
ASF Infra
--- End Message ---
