You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by Andy Seaborne <an...@apache.org> on 2022/04/05 08:08:19 UTC
Fwd: [NOTICE] Dependabot Updates enabled for all projects
If you have a fork of Jena, you'll probably already seen these on the
forked repo, together with the associated security alert.
Jena also gets regular (non-security) dependabot PRs for java.
For Java updates, they are pretty good. The only out of step one is that
Jetty 11 is not "Jetty 10 next". (Jetty11 is using Jakarta packages,
Jetty 10 is using javax packages otherwise they are the same).
For javascript, the arrival of a security alert is a prompt to check on
the dependency. The PRs to-date have been updates to the yarn.lock file
which isn't right. It would get overwritten. Also, the dependency space
for javascript is quite messy with modules depending on old versions of
other modules across major version changes and they break if updated too
much.
Andy
-------- Forwarded Message --------
Subject: [NOTICE] Dependabot Updates enabled for all projects
Date: Mon, 4 Apr 2022 21:30:48 -0700
From: Chris Lambertus <cm...@apache.org>
Reply-To: users@infra.apache.org
To: announce@infra.apache.org
Hi folks,
Infra is pleased to announce that GitHub’s Dependabot service has been
approved for use by ASF Legal and Infra, and is now enabled for all
repos. Dependabot will create PRs in your repo with recommended
security updates for your project. It is entirely up to the project to
accept or reject these PRs.
Dependabot Alerts can also be configured per-project, but currently the
notifications go to Org Admins only. If your project wishes to receive
Dependabot Alerts via email, please open an Infra Jira ticket so that we
can add your committer team to the alerts.
-Chris
ASF Infra