The dependabot check is once a week on Friday which is, IMO, just right.
Gary
On Wed, Oct 4, 2023, 7:18 PM Phil Steitz wrote:
> On Tue, Oct 3, 2023 at 1:42 PM Emmanuel Bourg wrote:
> >
> > Le 03/10/2023 à 20:18, Bruno Kinoshita a écrit :
> > > Same for me, I prefer to know ahead of time if
On Tue, Oct 3, 2023 at 1:42 PM Emmanuel Bourg wrote:
>
> Le 03/10/2023 à 20:18, Bruno Kinoshita a écrit :
> > Same for me, I prefer to know ahead of time if there are any issues with
> > dependencies.
>
> But the Commons components are mostly dependency-less, we are flooded by
> dependabot
Le 03/10/2023 à 20:18, Bruno Kinoshita a écrit :
Same for me, I prefer to know ahead of time if there are any issues with
dependencies.
But the Commons components are mostly dependency-less, we are flooded by
dependabot requests to update non code related dependencies (Maven
plugins, GitHub
Same for me, I prefer to know ahead of time if there are any issues with
dependencies.
On Tue, 3 Oct 2023, 19:23 Gary Gregory, wrote:
> Getting rid of this is good for dormant components ONLY IMO.
>
> It is definitely not a release time task for me. As an RM, I certainly
> don't want to spend
You could try archiving the projects. That way all jobs are disabled,
including dependabot. You can't push anymore, but unarchiving is just as
easy as archiving.
Rob
On 03/10/2023 19:22, Gary Gregory wrote:
Getting rid of this is good for dormant components ONLY IMO.
It is definitely not a
Getting rid of this is good for dormant components ONLY IMO.
It is definitely not a release time task for me. As an RM, I certainly
don't want to spend time doing this at release time. I want to update
dependencies as they become available to let them become part of the code
base where I can
On Tue, 3 Oct 2023 at 15:47, Emmanuel Bourg wrote:
>
> Le 01/10/2023 à 14:09, sebb a écrit :
> > As the subject says: how does one stop dependabot and other analyses
> > from running on dormant components?
>
> +1
>
> And even on all components, updating the dependencies is a release time
> task.
Le 01/10/2023 à 14:09, sebb a écrit :
As the subject says: how does one stop dependabot and other analyses
from running on dormant components?
+1
And even on all components, updating the dependencies is a release time
task. Updating 3 times the same Maven plugins between releases is a
waste
That has already been done for functor (some time ago), but the checks
are still shown as enabled:
https://github.com/apache/commons-functor/security
On Sun, 1 Oct 2023 at 13:12, Gary Gregory wrote:
>
> Edit the files in the .github folder (or remove them).
>
> Gary
>
> On Sun, Oct 1, 2023 at
Edit the files in the .github folder (or remove them).
Gary
On Sun, Oct 1, 2023 at 8:09 AM sebb wrote:
>
> As the subject says: how does one stop dependabot and other analyses
> from running on dormant components?
>
> Sebb
>
>
10 matches
Mail list logo
