I've updated the dependencies as CTR, but it was not straightforward and not something npm audit was able to do on its own, which makes me a bit skeptical of leaving dependency management to dependabot. A typical problem is when the latest version of a package depends on an outdated package. Then we need to force that that package uses a newer version of the outdated package. Since packages then end up with versions they might not have been designed for, we have to be careful to test that building and running the app still works as before. It may be that dependabot handles these cases well, but I'm not sure it would reduce the manual involvement required.
https://github.com/apache/tinkerpop/commit/134180f87ef00b08e49dd96ec271e2bb47bd5029 (3.5-dev) https://github.com/apache/tinkerpop/commit/ec28bf7f2eaa76e6a5ba71ec7598c5f7db0c56b8 (master) fre. 14. jan. 2022 kl. 13:16 skrev Øyvind Sæbø <oyvind.s...@gmail.com>: > I'll see if I can find time to look into it this weekend. I don't think we > need to be concerned about the Gremlint library itself being insecure. It > has zero dependencies, so I assume the warnings are related to the tooling > we use to build or test the library or website. We should keep those up to > date, though, so adding dependabot would be nice. > > fre. 14. jan. 2022 kl. 12:57 skrev Stephen Mallette <spmalle...@gmail.com > >: > >> This post is mostly for Øyvind - I'm noticing that when I build gremlint i >> get a number of messages about "critical" dependency updates and similar >> warnings. I was wondering if there were any there that we should be >> concerned about? >> >> In addition, we've put dependabot to work for python and .NET to success, >> and figure that gremlin-javascript is next. What do you think about >> enabling it for gremlint as well? >> >
