Thanks Maytas, I asked in that thread. They seemed concerned about write access requested by dependabot, but that should no longer be required as far as I can tell, now that it is natively integrated into GitHub. It should only be a matter of adding the config file to the repo, similar to what we do to automate closing stale issues / PR.
On Tue, Apr 6, 2021 at 2:50 PM Maytas Monsereenusorn <mayt...@apache.org> wrote: > I remember seeing someone asked about Dependabot in asfinfra slack channel > a few weeks ago. However, asfinfra said they cannot allow it. > Here is the link: > https://the-asf.slack.com/archives/CBX4TSBQ8/p1616539376210800 > I think this is the same as Github's dependabot. > > Best Regards, > Maytas > > > On Tue, Apr 6, 2021 at 2:37 PM Xavier Léauté <x...@apache.org> wrote: > > > Hi folks, as you know Druid has a lot of dependencies, and keeping up > with > > the latest versions of everything, whether it relates to fixing CVEs or > > other improvements is a lot of manual work. > > > > I suggest we enable Github's dependabot in our repository to keep our > > dependencies up to date. The bot is also helpful in providing a short > > commit log summary to understand changes. > > This might yield a flurry of PRs initially, but we can configure it to > > exclude libraries or version ranges that we know are unsafe for us to > > upgrade to. > > > > It looks like some other ASF repos have this enabled already (see > > https://github.com/apache/commons-imaging/pull/126), so hopefully this > > only > > requires filing an INFRA ticket. > > > > Happy to take care of it if folks are on board. > > > > Thanks! > > Xavier > > >
