I'll see if I can find time to look into it this weekend. I don't think we need to be concerned about the Gremlint library itself being insecure. It has zero dependencies, so I assume the warnings are related to the tooling we use to build or test the library or website. We should keep those up to date, though, so adding dependabot would be nice.
fre. 14. jan. 2022 kl. 12:57 skrev Stephen Mallette <[email protected]>: > This post is mostly for Øyvind - I'm noticing that when I build gremlint i > get a number of messages about "critical" dependency updates and similar > warnings. I was wondering if there were any there that we should be > concerned about? > > In addition, we've put dependabot to work for python and .NET to success, > and figure that gremlin-javascript is next. What do you think about > enabling it for gremlint as well? >
