You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Phoenix616
changed the title
Enable dependabot alerts on repo to help with dependency updating
[Meta] Enable dependabot alerts on repo to help with dependency updating
Jan 2, 2023
While I don't think it should be merged directly I still believe that at least getting some notification about new updates and especially security vulnerabilities would be a good thing. I don't really care what tool is used as long as one is used (and dependabot is built-into GitHub natively so it's the easiest to at least get running)
This project as a history of not updating old and insecure dependencies for a good amount of time and I feel like the main issue (like with many other projects) is that one just doesn't notice that dependencies got updated.
According to one of the main contributors who investigated, none of the vulnerabilities is really relevant for the usage within Javacord, so the dependencies are not insecure in the way we use them. ;-)
Would be good if that could be communicated somewhere (or just be updated to the hotfix/a newer version as several tools will complain about this when depending on Javacord)
What feature are you proposing?
Enabling dependabot on the github repo in order to simplify and speed up the dependency updating (especially in the case of vulnerable ones)
Do you have any additional material for your feature proposal?
The text was updated successfully, but these errors were encountered: