I remember seeing someone asked about Dependabot in asfinfra slack channel a few weeks ago. However, asfinfra said they cannot allow it. Here is the link: https://the-asf.slack.com/archives/CBX4TSBQ8/p1616539376210800 I think this is the same as Github's dependabot.
Best Regards, Maytas On Tue, Apr 6, 2021 at 2:37 PM Xavier Léauté <x...@apache.org> wrote: > Hi folks, as you know Druid has a lot of dependencies, and keeping up with > the latest versions of everything, whether it relates to fixing CVEs or > other improvements is a lot of manual work. > > I suggest we enable Github's dependabot in our repository to keep our > dependencies up to date. The bot is also helpful in providing a short > commit log summary to understand changes. > This might yield a flurry of PRs initially, but we can configure it to > exclude libraries or version ranges that we know are unsafe for us to > upgrade to. > > It looks like some other ASF repos have this enabled already (see > https://github.com/apache/commons-imaging/pull/126), so hopefully this > only > requires filing an INFRA ticket. > > Happy to take care of it if folks are on board. > > Thanks! > Xavier >
