I love dependabot. I do minimal maintenance on several dozen demo projects and having a bot check the dependencies for vulnerabilities is a god-send.
There is no downside. Yes, I get a bunch of pull requests when somebody digs up another obscure problem with Jackson, but that isn't a problem. I have to worry about dependencies anyway, so why not make it relatively easy to do? On Sun, May 16, 2021, 7:40 AM Charles Givre <[email protected]> wrote: > Hello all, > I'd like to propose adding Dependabot to our commit process. If you > aren't familiar with Dependabot, it scans dependencies and alerts you to > dependencies that have vulnerabilities. I ran dependabot on Drill's > source, and found several rather serious CVEs associated with dependencies, > hence the PRs to update Guava, JUnit, and a few others. > > I know that these automated code quality tests aren't always the best in > terms of producing false positives, but I do think it is in general a good > thing to at least be aware of these kinds of issues so that we can resolve > them if they are deemed worthy. > > So... I'd like to call a vote. Would you like to add dependabot to > Drill's github repo? Please vote yes or no by Thursday. > > Thanks and Keep on Drilling! > -- C > >
