On Wed, Jul 29, 2020 at 4:33 PM Matt Sicker <boa...@gmail.com> wrote:
> ICLAs aren't required for trivial contributions, though they are > required for committers. Are bots committers? Alternatively, if we > only merge PRs from the bot using the Merge button rather than the > @dependabot comment commands, then that ensures a committer is the one > who introduces the merge commit itself into the git repo. > IMO, a committer needs to validate the PR and push the merge button. > > As for dependencies, I've been facing an opposite constraint: the > endless security scanners complaining about every possible CVE or > proprietary vulnerability published about OSS libraries that have > patches available. As more and more companies embrace security, one of > the low-hanging fruits of software development is keeping dependencies > up to date [1]. As for ensuring things still work in older versions of > a library, perhaps we should have some way to run tests with old > versions of the library periodically to ensure we aren't breaking > compatibility unnecessarily. > At work, we have tooling that checks for CVEs on all third party libraries we deliver. A CVE on an old library will cause us to update it. Gary > > [1]: > https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities > > On Wed, 29 Jul 2020 at 14:45, Ralph Goers <ralph.go...@dslextreme.com> > wrote: > > > > Hmm. Did dependabot sign an ICLA? As secretary you should know ;-) > > > > I’m concerned about what impression it gives users regarding > compatibility with prior versions of dependencies. Almost nobody stays > completely current on everything. It is too time consuming. I’m also > concerned if we have to make modifications to support a new release as that > implies the newer release is not backward compatible os users would be > locked in. Fortunately, that has rarely happened to us, at least as far as > I am aware, but I do know that Spring seems to run into this frequently - > or at least the users of Spring do. > > > > -- > Matt Sicker <boa...@gmail.com> >
