Hi Jacques,
IMO it depends on what those PR's disclose openly.
If those PR's disclose significant vulnerabilities I would prefer to not
use this. Maybe we should first investigate how Dependabot really works
before we use it.
Best regards,
Michael Brohl
ecomify GmbH - www.ecomify.de
Am 05.04.22 um 09:31 schrieb Jacques Le Roux:
Hi Team,
If nobody see a problem with that I'll create a Jira for that in 3
days, ie Friday morning
Thanks
Jacques
Le 05/04/2022 à 06:30, Chris Lambertus a écrit :
Hi folks,
Infra is pleased to announce that GitHub’s Dependabot service has
been approved for use by ASF Legal and Infra, and is now enabled for
all repos. Dependabot will create PRs in your repo with recommended
security updates for your project. It is entirely up to the project
to accept or reject these PRs.
Dependabot Alerts can also be configured per-project, but currently
the notifications go to Org Admins only. If your project wishes to
receive Dependabot Alerts via email, please open an Infra Jira ticket
so that we can add your committer team to the alerts.
-Chris
ASF Infra
