Hi, +1
Regards, Martin On 2021/05/16 14:40:46, Charles Givre <[email protected]> wrote: > Hello all, > I'd like to propose adding Dependabot to our commit process. If you aren't > familiar with Dependabot, it scans dependencies and alerts you to > dependencies that have vulnerabilities. I ran dependabot on Drill's source, > and found several rather serious CVEs associated with dependencies, hence the > PRs to update Guava, JUnit, and a few others. > > I know that these automated code quality tests aren't always the best in > terms of producing false positives, but I do think it is in general a good > thing to at least be aware of these kinds of issues so that we can resolve > them if they are deemed worthy. > > So... I'd like to call a vote. Would you like to add dependabot to Drill's > github repo? Please vote yes or no by Thursday. > > Thanks and Keep on Drilling! > -- C > >
