On Thu, Mar 18, 2021 at 11:38:02AM +0100, Fritz Elfert wrote: > Jean-Noël mentioning security scanners in our recent discussion make me think: > > It would be nice to have depedabot enabled in the github repo settings > (Security & analysis). > If both alerts and security updates are enabled, it automatically creates > pull requests for the relevant changes.
This is something we could experiment with although there are more considerations for upgrading dependencies than simply getting the latest version, as the recent thread about Guava and Guice demonstrates. My experience with these automatic tools is that they work better for applications than frameworks. We would also want to align with other Apache projects -- do we have some similar infrastructure already? -- Andrew Gaul http://gaul.org/
