I think dependabot could be helpful if we could properly configure it to only update parts of our repo where we want that or only certain dependencies. It could be very helpful for the GLVs for example in my opinion as they shouldn't have dependencies where updates are complicated and we don't seem to update them regularly.
Since it's possible to configure dependabot with a config file, we should be able to do that without intervention from Apache Infra for every change: https://dependabot.com/docs/config-file/ But it would of course be good to know first why it was activated and whether it stays activated. -----Ursprüngliche Nachricht----- Von: Stephen Mallette <[email protected]> Gesendet: Donnerstag, 7. November 2019 14:08 An: [email protected] Betreff: Re: [DISCUSS] dependabot I'd be content with alerts on the security tab that we can evaluate and then act upon accordingly. On Thu, Nov 7, 2019 at 8:02 AM Robert Dale <[email protected]> wrote: > Ideally, if they can just configured it to not create PRs and instead > create only the alert, that would be great. And of course give us > access to the Alert tab under the Security tab. > > Robert Dale > > > On Thu, Nov 7, 2019 at 7:53 AM Stephen Mallette <[email protected]> > wrote: > > > I guess Apache Infra has decided to enable dependabot. Personally, I > don't > > like these sorts of things. They just create PRs i have to close as > > the > bot > > is unaware of the subtleties of our requirements. My intention is to > > ask Infra to disable the feature as we have our own bot that does > > this sort > of > > thing - RobertDaleBot. > > > > > > > > On Thu, Nov 7, 2019 at 7:45 AM <[email protected]> wrote: > > > > > OK, I won't notify you again about this release, but will get in > > > touch when a new version is available. If you'd rather skip all > > > updates until > > the > > > next major or minor version, let me know by commenting > > > `@dependabot > > ignore > > > this major version` or `@dependabot ignore this minor version`. > > > > > > If you change your mind, just re-open this PR and I'll resolve any > > > conflicts on it. > > > > > > [ Full content available at: > > https://github.com/apache/tinkerpop/pull/1217 > > > ] > > > This message was relayed via gitbox.apache.org for > > > [email protected] > > > > > >
