Yes, I agree as long as we just use it as a means of notification it will bring value.
tir. 18. jan. 2022 kl. 13:02 skrev Stephen Mallette <[email protected]>: > Thanks for fixing that. I don't expect dependabot to save any work, but I > would like to know when there is a bad security problem that needs > attention. I tend to think of its utility in that way. > > On Sun, Jan 16, 2022 at 11:57 AM Øyvind Sæbø <[email protected]> > wrote: > > > I've updated the dependencies as CTR, but it was not straightforward and > > not something npm audit was able to do on its own, which makes me a bit > > skeptical of leaving dependency management to dependabot. A typical > problem > > is when the latest version of a package depends on an outdated package. > > Then we need to force that that package uses a newer version of the > > outdated package. Since packages then end up with versions they might not > > have been designed for, we have to be careful to test that building and > > running the app still works as before. It may be that dependabot handles > > these cases well, but I'm not sure it would reduce the manual involvement > > required. > > > > > > > https://github.com/apache/tinkerpop/commit/134180f87ef00b08e49dd96ec271e2bb47bd5029 > > (3.5-dev > > < > https://github.com/apache/tinkerpop/commit/134180f87ef00b08e49dd96ec271e2bb47bd5029(3.5-dev > > > > ) > > > > > https://github.com/apache/tinkerpop/commit/ec28bf7f2eaa76e6a5ba71ec7598c5f7db0c56b8 > > (master) > > > > > > > > fre. 14. jan. 2022 kl. 13:16 skrev Øyvind Sæbø <[email protected]>: > > > > > I'll see if I can find time to look into it this weekend. I don't think > > we > > > need to be concerned about the Gremlint library itself being insecure. > It > > > has zero dependencies, so I assume the warnings are related to the > > tooling > > > we use to build or test the library or website. We should keep those up > > to > > > date, though, so adding dependabot would be nice. > > > > > > fre. 14. jan. 2022 kl. 12:57 skrev Stephen Mallette < > > [email protected] > > > >: > > > > > >> This post is mostly for Øyvind - I'm noticing that when I build > > gremlint i > > >> get a number of messages about "critical" dependency updates and > similar > > >> warnings. I was wondering if there were any there that we should be > > >> concerned about? > > >> > > >> In addition, we've put dependabot to work for python and .NET to > > success, > > >> and figure that gremlin-javascript is next. What do you think about > > >> enabling it for gremlint as well? > > >> > > > > > >
