@Rob: dependabot is mainly about dependencies upgrades and it is also why it is so chatty and has so much false positives. If you want to focus on CVE then setting up on the CI https://sonatype.github.io/ossindex-maven/maven-plugin/ is way more efficient and accurate (basically when it fails you must act) so dependabot is a great reporting tool for managers but not to work on an everyday basis IMHO until it is very finely configure but commons is far to need so much investment since there already have solutions for everything needed IMHO.
Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://rmannibucau.metawerx.net/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/application-development/java-ee-8-high-performance> Le mer. 29 déc. 2021 à 14:39, Rob Tompkins <chtom...@gmail.com> a écrit : > Guys. I think dependabot is our greatest advantage in the work against > security problems. I know she has her failings and is chatty. But, I think > we should open a line of thinking about how best she can help. > > The reason she’s a pain in the ass is that we don’t have enough hands on > the project making it better. I know I would help more, but I have to keep > up with my father who’s a quadriplegic as well as a currently failing > marriage. > > The answer is that we need more hands on the project. I wish I could be > those hands but time and priorities keep me chained. > > Cheers, > -Rob > > > On Dec 29, 2021, at 8:26 AM, Gilles Sadowski <gillese...@gmail.com> > wrote: > > > > Le mer. 29 déc. 2021 à 12:18, Thomas Vandahl <t...@apache.org> a écrit : > >> > >> +1 > >> Thank you, Phil. This thing is a P.I.T.A. > > > > In effect, from day one: > > https://markmail.org/message/2vutc4p3b3eqv73f > > > > Basically, the argument is that > > * the (dependabot) feature is too important to be disabled > > * the annoyed people should filter out those mails (which I > > did since no one at the time supported that they be diverted > > to another ML). > > Did anything change since then? > > [Or do we eventually question the general anomaly that code > > discussions have been almost completely off-loaded to GH?] > > > > Gilles > > > >> > >>>> Am 28.12.2021 um 19:20 schrieb Phil Steitz <phil.ste...@gmail.com>: > >>> > >>> I can no longer effectively monitor commits@ due to the spam > generated by this tool. I am afraid my eyeballs aren't the only ones going > missing here and that is a problem much more severe than any value provided > by this tool, IMO. > >>> > >>> Phil > >> > >> Bye, Thomas > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
