I may or may not have killed dependabot with this: https://github.com/apache/tinkerpop/tree/master/.dependabot
Florian, if you or someone else wants to config dependabot in a "nice" way that's useful to us feel free to make the appropriate changes. As folks have interest in this tool I won't bug infra about disabling it for us. On Thu, Nov 7, 2019 at 8:38 AM Robert Dale <robd...@gmail.com> wrote: > Interesting. However, dependabot appears to be the thing that is used to > create PRs. For instance, if automatic PRs are configured under the > Security tab, then it uses dependabot to make those changes. If automatic > PRs are not enabled, then you should only get the security alert. If we > can't get automatic PRs disabled at the Security level, then we'll have to > use this as a workaround. It would be good to know if we would get any > notification at all as I haven't see the alerts come through, only the PRs. > > 1. > > https://help.github.com/en/github/managing-security-vulnerabilities/about-security-alerts-for-vulnerable-dependencies#alerts-and-automated-security-fixes-for-vulnerable-dependencies > 2. > > https://help.github.com/en/github/managing-security-vulnerabilities/configuring-automated-security-fixes > > Robert Dale > > > On Thu, Nov 7, 2019 at 8:26 AM Florian Hockmann <f...@florian-hockmann.de> > wrote: > > > I think dependabot could be helpful if we could properly configure it to > > only update parts of our repo where we want that or only certain > > dependencies. It could be very helpful for the GLVs for example in my > > opinion as they shouldn't have dependencies where updates are complicated > > and we don't seem to update them regularly. > > > > Since it's possible to configure dependabot with a config file, we should > > be able to do that without intervention from Apache Infra for every > change: > > https://dependabot.com/docs/config-file/ > > > > But it would of course be good to know first why it was activated and > > whether it stays activated. > > > > -----Ursprüngliche Nachricht----- > > Von: Stephen Mallette <spmalle...@gmail.com> > > Gesendet: Donnerstag, 7. November 2019 14:08 > > An: dev@tinkerpop.apache.org > > Betreff: Re: [DISCUSS] dependabot > > > > I'd be content with alerts on the security tab that we can evaluate and > > then act upon accordingly. > > > > On Thu, Nov 7, 2019 at 8:02 AM Robert Dale <robd...@gmail.com> wrote: > > > > > Ideally, if they can just configured it to not create PRs and instead > > > create only the alert, that would be great. And of course give us > > > access to the Alert tab under the Security tab. > > > > > > Robert Dale > > > > > > > > > On Thu, Nov 7, 2019 at 7:53 AM Stephen Mallette <spmalle...@gmail.com> > > > wrote: > > > > > > > I guess Apache Infra has decided to enable dependabot. Personally, I > > > don't > > > > like these sorts of things. They just create PRs i have to close as > > > > the > > > bot > > > > is unaware of the subtleties of our requirements. My intention is to > > > > ask Infra to disable the feature as we have our own bot that does > > > > this sort > > > of > > > > thing - RobertDaleBot. > > > > > > > > > > > > > > > > On Thu, Nov 7, 2019 at 7:45 AM <dependa...@gitbox.apache.org> wrote: > > > > > > > > > OK, I won't notify you again about this release, but will get in > > > > > touch when a new version is available. If you'd rather skip all > > > > > updates until > > > > the > > > > > next major or minor version, let me know by commenting > > > > > `@dependabot > > > > ignore > > > > > this major version` or `@dependabot ignore this minor version`. > > > > > > > > > > If you change your mind, just re-open this PR and I'll resolve any > > > > > conflicts on it. > > > > > > > > > > [ Full content available at: > > > > https://github.com/apache/tinkerpop/pull/1217 > > > > > ] > > > > > This message was relayed via gitbox.apache.org for > > > > > dev@tinkerpop.apache.org > > > > > > > > > > > > > > > > >
