You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomee.apache.org by "Zowalla, Richard" <ri...@hs-heilbronn.de> on 2022/04/25 06:22:31 UTC
Dependabot PRs' flooding
Hi,
a few weeks ago, I noticed, that a lot of mails are generated by
@dependabot on the TomEE repositories.
It contains a lot of false positives (i.e. in the examples) and often
requires additional efforts (i.e. code changes, xml adjustments) to
upgrade.
We are updating the dependencies before releases anyway (if they are
important), so I am wondering, if we should disable @dependabot for the
TomEE repositories?
According to INFRA, it is possible to disable via
https://cwiki.apache.org/confluence/display/INFRA/Git+-+.asf.yaml+features#Git.asf.yamlfeatures-DependabotAlertsandUpdates
Any thoughts? ;)
Richard
Re: Dependabot PRs' flooding
Posted by Jean-Louis Monteiro <jl...@tomitribe.com>.
Feel free to try the setting
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Mon, Apr 25, 2022 at 10:45 AM Jean-Louis Monteiro <
jlmonteiro@tomitribe.com> wrote:
> I remember reading some infra thread where projects were complaining a lot
> about dependabot and the noise it produces. The last thing I remember is
> that Apache decided to activate it on all repos of the org and without any
> ways to disable it.
>
> Some projects requested to move emails to a /dev/null more or less and
> some of them have a bot to automatically close and delete PRs+branches.
>
> Not too sure about the current status though.
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Mon, Apr 25, 2022 at 8:22 AM Zowalla, Richard <
> richard.zowalla@hs-heilbronn.de> wrote:
>
>> Hi,
>>
>> a few weeks ago, I noticed, that a lot of mails are generated by
>> @dependabot on the TomEE repositories.
>>
>> It contains a lot of false positives (i.e. in the examples) and often
>> requires additional efforts (i.e. code changes, xml adjustments) to
>> upgrade.
>>
>> We are updating the dependencies before releases anyway (if they are
>> important), so I am wondering, if we should disable @dependabot for the
>> TomEE repositories?
>>
>> According to INFRA, it is possible to disable via
>>
>> https://cwiki.apache.org/confluence/display/INFRA/Git+-+.asf.yaml+features#Git.asf.yamlfeatures-DependabotAlertsandUpdates
>>
>> Any thoughts? ;)
>>
>> Richard
>>
>
Re: Dependabot PRs' flooding
Posted by Jean-Louis Monteiro <jl...@tomitribe.com>.
I remember reading some infra thread where projects were complaining a lot
about dependabot and the noise it produces. The last thing I remember is
that Apache decided to activate it on all repos of the org and without any
ways to disable it.
Some projects requested to move emails to a /dev/null more or less and some
of them have a bot to automatically close and delete PRs+branches.
Not too sure about the current status though.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Mon, Apr 25, 2022 at 8:22 AM Zowalla, Richard <
richard.zowalla@hs-heilbronn.de> wrote:
> Hi,
>
> a few weeks ago, I noticed, that a lot of mails are generated by
> @dependabot on the TomEE repositories.
>
> It contains a lot of false positives (i.e. in the examples) and often
> requires additional efforts (i.e. code changes, xml adjustments) to
> upgrade.
>
> We are updating the dependencies before releases anyway (if they are
> important), so I am wondering, if we should disable @dependabot for the
> TomEE repositories?
>
> According to INFRA, it is possible to disable via
>
> https://cwiki.apache.org/confluence/display/INFRA/Git+-+.asf.yaml+features#Git.asf.yamlfeatures-DependabotAlertsandUpdates
>
> Any thoughts? ;)
>
> Richard
>