Hi Michael,
Jarek clarified for us. I'll carefully read the GH link, but that sounds pretty
safe.
Jacques
-------- Message transféré --------
Sujet : Re: [NOTICE] Dependabot Updates enabled for all projects
Date : Tue, 5 Apr 2022 13:37:06 +0200
De : Jarek Potiuk <ja...@potiuk.com>
Pour : Jacques Le Roux <jacques.le.r...@les7arts.com>
Copie à : us...@infra.apache.org
Dependabot only creates PRs for the public vulnerabilities of your
dependencies (not your own code). This is purely about keeping your
supply-chain secure.
This feature does not change the regular handling of security reports
we get via security@a.o as far as I understand.
You can read more here:
https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates
J.
On Tue, Apr 5, 2022 at 1:25 PM Jacques Le Roux
<jacques.le.r...@les7arts.com> wrote:
Hi Jarek,
OK, but what about the others, those not public? I guess we can send them to
our (private) security ML?
TIA
Jacques
Le 05/04/2022 à 11:07, Jarek Potiuk a écrit :
Yes. But those are only for security vulnerabilities that are already
Public. So trying to "not" showing them is securiy-by-obscurity.
J.
On Tue, Apr 5, 2022 at 11:01 AM Jacques Le Roux
<jacques.le.r...@les7arts.com> wrote:
Hi Chris,
Can these PRs be seen by everybody?
Thanks
Jacques
Le 05/04/2022 à 06:30, Chris Lambertus a écrit :
Hi folks,
Infra is pleased to announce that GitHub’s Dependabot service has been approved
for use by ASF Legal and Infra, and is now enabled for all repos. Dependabot
will create PRs in your repo with recommended security updates for your
project. It is entirely up to the project to accept or reject these PRs.
Dependabot Alerts can also be configured per-project, but currently the
notifications go to Org Admins only. If your project wishes to receive
Dependabot Alerts via email, please open an Infra Jira ticket so that we can
add your committer team to the alerts.
-Chris
ASF Infra
