You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "cstamas (via GitHub)" <gi...@apache.org> on 2023/08/03 09:09:43 UTC

[GitHub] [maven] cstamas opened a new pull request, #1214: Fix dependabot alerts

cstamas opened a new pull request, #1214:
URL: https://github.com/apache/maven/pull/1214

   (that are not applicable, but look ugly).
   
   These tests are NOT built, but are taken from real projects several years ago, and used in POM related UTs.
   
   Hence, for example update of velocity is completely okay, even if in "real life" it would not compile.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven] cstamas commented on pull request #1214: Fix dependabot alerts

Posted by "cstamas (via GitHub)" <gi...@apache.org>.

cstamas commented on PR #1214:
URL: https://github.com/apache/maven/pull/1214#issuecomment-1663605209

   The point is **only** to make these go away https://github.com/apache/maven/security/dependabot
   
   Yes, these are POMs used in UTs only in some POM-related tests...


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven] mthmulders commented on pull request #1214: Fix dependabot alerts

Posted by "mthmulders (via GitHub)" <gi...@apache.org>.

mthmulders commented on PR #1214:
URL: https://github.com/apache/maven/pull/1214#issuecomment-1663626806

   > @mthmulders any example how to do it?
   
   It seems not to be as easy as I hoped: https://github.com/dependabot/dependabot-core/issues/4364, https://github.com/dependabot/dependabot-core/issues/2883.
   
   The best I could find is a suggestion to configure the "maven" `package-ecosystem` multiple times: once for the root of the project, and then for each location that you want to exclude you specify it again but with `interval: "never"`. Not sure if that works as intended.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven] cstamas commented on pull request #1214: Fix dependabot alerts

Posted by "cstamas (via GitHub)" <gi...@apache.org>.

cstamas commented on PR #1214:
URL: https://github.com/apache/maven/pull/1214#issuecomment-1663614969

   @mthmulders any example how to do it?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven] gnodet commented on pull request #1214: Fix dependabot alerts

Posted by "gnodet (via GitHub)" <gi...@apache.org>.

gnodet commented on PR #1214:
URL: https://github.com/apache/maven/pull/1214#issuecomment-1663603952

   > (that are not applicable, but look ugly).
   > 
   > These tests are NOT built, but are taken from real projects several years ago, and used in POM related UTs.
   > 
   > Hence, for example update of velocity is completely okay, even if in "real life" it would not compile.
   
   So what's the point ?  The version don't even match those used by maven...


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven] gnodet commented on pull request #1214: Fix dependabot alerts

Posted by "gnodet (via GitHub)" <gi...@apache.org>.

gnodet commented on PR #1214:
URL: https://github.com/apache/maven/pull/1214#issuecomment-1663604502

   Ah, the answer is in the PR title...


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven] cstamas commented on pull request #1214: Fix dependabot alerts

Posted by "cstamas (via GitHub)" <gi...@apache.org>.

cstamas commented on PR #1214:
URL: https://github.com/apache/maven/pull/1214#issuecomment-1663630631

   Yes, that is my understanding as well... or ignore, but then one need to enlist ALL ignored deps, that probably overlaps with Maven used ones, where we DO WANT dependabot.
   
   It would be simplest if there would be something like `ignore_directory` or alike.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven] cstamas merged pull request #1214: Fix dependabot alerts

Posted by "cstamas (via GitHub)" <gi...@apache.org>.

cstamas merged PR #1214:
URL: https://github.com/apache/maven/pull/1214


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven] cstamas commented on pull request #1214: Fix dependabot alerts

Posted by "cstamas (via GitHub)" <gi...@apache.org>.

cstamas commented on PR #1214:
URL: https://github.com/apache/maven/pull/1214#issuecomment-1663606520

   Sure! 
   
   > Wouldn't it make more sense to exclude those projects using [dependabot.yml](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)?
   
   Sure, that would work as well... 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [maven] mthmulders commented on pull request #1214: Fix dependabot alerts

Posted by "mthmulders (via GitHub)" <gi...@apache.org>.

mthmulders commented on PR #1214:
URL: https://github.com/apache/maven/pull/1214#issuecomment-1663605223

   Wouldn't it make more sense to exclude those projects using [dependabot.yml](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file)?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org