[Meta] Enable dependabot alerts on repo to help with dependency updating #1202
Comments
Phoenix616
changed the title
|
I think I am against automatic dependency update PRs, especially as we do not really have a test suite ensuring things are working as expected. If we introduce one though, it should be considered whether Dependabot or Renovate is used, as I heard voices saying Renovate is better. |
|
While I don't think it should be merged directly I still believe that at least getting some notification about new updates and especially security vulnerabilities would be a good thing. I don't really care what tool is used as long as one is used (and dependabot is built-into GitHub natively so it's the easiest to at least get running) This project as a history of not updating old and insecure dependencies for a good amount of time and I feel like the main issue (like with many other projects) is that one just doesn't notice that dependencies got updated. |
|
According to one of the main contributors who investigated, none of the vulnerabilities is really relevant for the usage within Javacord, so the dependencies are not insecure in the way we use them. ;-) |
|
Glad to hear that then! :D Would be good if that could be communicated somewhere (or just be updated to the hotfix/a newer version as several tools will complain about this when depending on Javacord) |
What feature are you proposing?
Enabling dependabot on the github repo in order to simplify and speed up the dependency updating (especially in the case of vulnerable ones)
Do you have any additional material for your feature proposal?
The text was updated successfully, but these errors were encountered: