Thanks for fixing that. I don't expect dependabot to save any work, but I would like to know when there is a bad security problem that needs attention. I tend to think of its utility in that way.
On Sun, Jan 16, 2022 at 11:57 AM Øyvind Sæbø <[email protected]> wrote: > I've updated the dependencies as CTR, but it was not straightforward and > not something npm audit was able to do on its own, which makes me a bit > skeptical of leaving dependency management to dependabot. A typical problem > is when the latest version of a package depends on an outdated package. > Then we need to force that that package uses a newer version of the > outdated package. Since packages then end up with versions they might not > have been designed for, we have to be careful to test that building and > running the app still works as before. It may be that dependabot handles > these cases well, but I'm not sure it would reduce the manual involvement > required. > > > https://github.com/apache/tinkerpop/commit/134180f87ef00b08e49dd96ec271e2bb47bd5029 > (3.5-dev > <https://github.com/apache/tinkerpop/commit/134180f87ef00b08e49dd96ec271e2bb47bd5029(3.5-dev> > ) > > https://github.com/apache/tinkerpop/commit/ec28bf7f2eaa76e6a5ba71ec7598c5f7db0c56b8 > (master) > > > > fre. 14. jan. 2022 kl. 13:16 skrev Øyvind Sæbø <[email protected]>: > > > I'll see if I can find time to look into it this weekend. I don't think > we > > need to be concerned about the Gremlint library itself being insecure. It > > has zero dependencies, so I assume the warnings are related to the > tooling > > we use to build or test the library or website. We should keep those up > to > > date, though, so adding dependabot would be nice. > > > > fre. 14. jan. 2022 kl. 12:57 skrev Stephen Mallette < > [email protected] > > >: > > > >> This post is mostly for Øyvind - I'm noticing that when I build > gremlint i > >> get a number of messages about "critical" dependency updates and similar > >> warnings. I was wondering if there were any there that we should be > >> concerned about? > >> > >> In addition, we've put dependabot to work for python and .NET to > success, > >> and figure that gremlin-javascript is next. What do you think about > >> enabling it for gremlint as well? > >> > > >
