On Wed, 22 Dec 2021 at 12:35, Mark Thomas <[email protected]> wrote: > > On 21/12/2021 23:55, Hen wrote: > > <snip/> > > > Dependabot-on-GitHub wise, there is a dashboard but presumably only visible > > to the organization owners. The new Repository roles maybe could be used to > > create a Security role who can see it for all repos without making the > > Security Team Owners on the organization. > > > > Can also write GH API code to pull the data; though doing it as a GH Action > > is probably better if we're hitting the 5,000 PAT limits. > > Personally, I *really* don't like dependabot. The volume of noise it has > created in Apache Commons is significant. To the point that, in my view, > it is harming the community because the volume of mail from dependabot > is drowning out other conversations.
+1 At least half of the commits@commons emails are now related to dependabot, similarly for issues@ > The thing is, an out of date dependency isn't necessarily an issue - > even if that dependency has known security issues. What matters is how > the dependency is used. Indeed Another issue is that some dependencies are released much more frequently than the code which uses them. It's not unknown in Commons for a single component to have multiple dependabot reports for the same dependency by the time the next release is ready. Only the last report for each dependency has any possible relevance. It's much more efficient to run a Maven dependency check when preparing a release. <snip> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
