I’d like to use it if we can configure it to do those things. Otherwise, we could disable it and find an alternative bot or service that does allow us to customize the actions it performs. There’s plenty of other services that scan dependencies, some of which have free SaaS versions for OSS.
On Thu, Sep 17, 2020 at 19:49 Ralph Goers <ralph.go...@dslextreme.com> wrote: > I very much like all the emails due to dependabot. Furthermore, if it is > going to create 25 PRs then it also needs to create Jira issues and include > updates to changes.xml, otherwise it just creates a lot of work. > Furthermore, I have never been in favor of updating dependencies versions > without a compelling reason. > > > > On the other hand, if it generated reports that we could include in the > web site indicating we were compatible or if there are problems I would > find that much more valuable. I would really prefer to have the versions > set to the lowest version we support but have verified that it runs with > newer versions. IOW, if dependabot could just perform its test builds and > document the results that would be great. I also wouldn’t mind if it > created PRs when a dependency has a CVE and needs to be updated due to that > (hence increasing the lowest version we support). > > > > I know Gary loves dependabot and always wants everything at the latest > version. What do others think? > > > > Ralph > > -- Matt Sicker <boa...@gmail.com>
