Yes, I agree as long as we just use it as a means of notification it will
bring value.
tir. 18. jan. 2022 kl. 13:02 skrev Stephen Mallette :
> Thanks for fixing that. I don't expect dependabot to save any work, but I
> would like to know when there is a bad security problem that needs
> attention
Thanks for fixing that. I don't expect dependabot to save any work, but I
would like to know when there is a bad security problem that needs
attention. I tend to think of its utility in that way.
On Sun, Jan 16, 2022 at 11:57 AM Øyvind Sæbø wrote:
> I've updated the dependencies as CTR, but it w
I've updated the dependencies as CTR, but it was not straightforward and
not something npm audit was able to do on its own, which makes me a bit
skeptical of leaving dependency management to dependabot. A typical problem
is when the latest version of a package depends on an outdated package.
Then w
I'll see if I can find time to look into it this weekend. I don't think we
need to be concerned about the Gremlint library itself being insecure. It
has zero dependencies, so I assume the warnings are related to the tooling
we use to build or test the library or website. We should keep those up to
This post is mostly for Øyvind - I'm noticing that when I build gremlint i
get a number of messages about "critical" dependency updates and similar
warnings. I was wondering if there were any there that we should be
concerned about?
In addition, we've put dependabot to work for python and .NET to