Interesting. However, dependabot appears to be the thing that is used to create PRs. For instance, if automatic PRs are configured under the Security tab, then it uses dependabot to make those changes. If automatic PRs are not enabled, then you should only get the security alert. If we can't get automatic PRs disabled at the Security level, then we'll have to use this as a workaround. It would be good to know if we would get any notification at all as I haven't see the alerts come through, only the PRs.
1. https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies#alerts-and-automated-security-fixes-for-vulnerable-dependencies 2. https://help.github.com/en/github/managing-security-vulnerabilities/configuring-automated-security-fixes Robert Dale On Thu, Nov 7, 2019 at 8:26 AM Florian Hockmann <f...@florian-hockmann.de> wrote: > I think dependabot could be helpful if we could properly configure it to > only update parts of our repo where we want that or only certain > dependencies. It could be very helpful for the GLVs for example in my > opinion as they shouldn't have dependencies where updates are complicated > and we don't seem to update them regularly. > > Since it's possible to configure dependabot with a config file, we should > be able to do that without intervention from Apache Infra for every change: > https://dependabot.com/docs/config-file/ > > But it would of course be good to know first why it was activated and > whether it stays activated. > > -----Ursprüngliche Nachricht----- > Von: Stephen Mallette <spmalle...@gmail.com> > Gesendet: Donnerstag, 7. November 2019 14:08 > An: dev@tinkerpop.apache.org > Betreff: Re: [DISCUSS] dependabot > > I'd be content with alerts on the security tab that we can evaluate and > then act upon accordingly. > > On Thu, Nov 7, 2019 at 8:02 AM Robert Dale <robd...@gmail.com> wrote: > > > Ideally, if they can just configured it to not create PRs and instead > > create only the alert, that would be great. And of course give us > > access to the Alert tab under the Security tab. > > > > Robert Dale > > > > > > On Thu, Nov 7, 2019 at 7:53 AM Stephen Mallette <spmalle...@gmail.com> > > wrote: > > > > > I guess Apache Infra has decided to enable dependabot. Personally, I > > don't > > > like these sorts of things. They just create PRs i have to close as > > > the > > bot > > > is unaware of the subtleties of our requirements. My intention is to > > > ask Infra to disable the feature as we have our own bot that does > > > this sort > > of > > > thing - RobertDaleBot. > > > > > > > > > > > > On Thu, Nov 7, 2019 at 7:45 AM <dependa...@gitbox.apache.org> wrote: > > > > > > > OK, I won't notify you again about this release, but will get in > > > > touch when a new version is available. If you'd rather skip all > > > > updates until > > > the > > > > next major or minor version, let me know by commenting > > > > `@dependabot > > > ignore > > > > this major version` or `@dependabot ignore this minor version`. > > > > > > > > If you change your mind, just re-open this PR and I'll resolve any > > > > conflicts on it. > > > > > > > > [ Full content available at: > > > https://github.com/apache/tinkerpop/pull/1217 > > > > ] > > > > This message was relayed via gitbox.apache.org for > > > > dev@tinkerpop.apache.org > > > > > > > > > > >
