You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2021/06/15 20:46:34 UTC

[GitHub] [logging-log4j2] vy commented on pull request #515: Update dependabot to track github action and dockerfile dependencies

vy commented on pull request #515:
URL: https://github.com/apache/logging-log4j2/pull/515#issuecomment-861819840


   I am in favor of this change due to:
   1. `find . -name Dockerfile` acknowledges that we have `Dockerfile` usages in the code base. It is a good practice to make sure that the employed base images are up-to-date and doesn't use an outdated OS with security vulnerabilities. (I don't think `dependabot` is smart enough to help us with `maven-docker-plugin`-based usages, e.g., in `log4j-layout-template-json`, yet.)
   2. GitHub Actions are similar to Log4j, just a library, though targeting the GitHub CI pipeline. (For instance, we use `scacap/action-surefire-report@v1` to publish test results and `actions/upload-artifact@v2` to upload test reports. See `/.github/workflows/main.yml` for details.) The more we wait for an upgrade, the painful it will be. And we all know what kind of a burden it is for library maintainers to keep an old version alive.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org