Hi,
I would prefer a solution that fixes the email issue, but if it bothers others,
I guess I could enable dependabot on my fork of commons-imaging, commons-lang,
commons-text, or any other repository that I may RM one day.
I use dependabot in other personal and $work projects and it's very helpful for
Python & JS. Especially JS, where some updates may prevent security issues -
even if you don't have a CVE in one of these dependencies, it's common that
transitive dependencies have a CVE and due to how version ranges work in JS
it's much more common to be affected indirectly, so I use dependabot and other
tools like ncu to scan for updates.
For Java I normally see the security warnings in the GitHub security
tab/HackerNews/Twitter/etc and fix it before dependabot can send a PR - this
was the case in Apache Jena for log4j2, a few days ago.
For the Java projects, I find that it helps me knowing when things are broken
due to updates. Like new versions of SpotBugs or Checkstyle that break the
code. I prefer to fix that as soon as I have spare time, rather than when
during a release. With Imaging, in alpha-1 release I think, I had a short 2-3
days period to prepare the release, and during the step of updating
dependencies, I found some FindBugs issues reported by the new version I was
updating to, and spent the whole 2-3 days fixing it, then had to wait for
another time to try to release again.
So if there is no solution for the noise that dependabot causes, I will use my
fork with dependabot enabled to monitor if any PR fails, and see if it is
something important.
-Bruno
On Wednesday, 29 December 2021, 07:20:35 am NZDT, Phil Steitz
<phil.ste...@gmail.com> wrote:
I can no longer effectively monitor commits@ due to the spam generated
by this tool. I am afraid my eyeballs aren't the only ones going
missing here and that is a problem much more severe than any value
provided by this tool, IMO.
Phil
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
