Fwd: [NOTICE] Dependabot Updates enabled for all projects

[Andy Seaborne <an...@apache.org>]

If you have a fork of Jena, you'll probably already seen these on the 
forked repo, together with the associated security alert.

Jena also gets regular (non-security) dependabot PRs for java.

For Java updates, they are pretty good. The only out of step one is that 
Jetty 11 is not "Jetty 10 next". (Jetty11 is using Jakarta packages, 
Jetty 10 is using javax packages otherwise they are the same).

For javascript, the arrival of a security alert is a prompt to check on 
the dependency. The PRs to-date have been updates to the yarn.lock file 
which isn't right. It would get overwritten. Also, the dependency space 
for javascript is quite messy with modules depending on old versions of 
other modules across major version changes and they break if updated too 
much.

     Andy

-------- Forwarded Message --------
Subject: [NOTICE] Dependabot Updates enabled for all projects
Date: Mon, 4 Apr 2022 21:30:48 -0700
From: Chris Lambertus <cm...@apache.org>
Reply-To: users@infra.apache.org
To: announce@infra.apache.org


Hi folks,

Infra is pleased to announce that GitHub’s Dependabot service has been 
approved for use by ASF Legal and Infra, and is now enabled for all 
repos.  Dependabot will create PRs in your repo with recommended 
security updates for your project. It is entirely up to the project to 
accept or reject these PRs.

Dependabot Alerts can also be configured per-project, but currently the 
notifications go to Org Admins only. If your project wishes to receive 
Dependabot Alerts via email, please open an Infra Jira ticket so that we 
can add your committer team to the alerts.

-Chris
ASF Infra