Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[orb-dev] Source for dependabot PR 151 in ORB

Hello

I'm troubled by the source for https://github.com/eclipse-ee4j/orb/pull/151

Dependabot v2 is not configured in the repository directly and there
is no security advisory
(https://github.com/eclipse-ee4j/orb/security/advisories) published to
justify it.

I just wonder:
- what triggered this PR,
- why bot was silent for all versions between 6.10 to 7.7.0,
- why it bumps TestNG to 7.7.0 instead of 7.7.1 which is one month+ old,
- why are other dependencies not bumped?

The last previous PR - https://github.com/eclipse-ee4j/orb/pull/108 -
was created in 2020. I might not remember this correctly, but it's
possible it was external service then.

Perhaps someone can provide some details before I reach EF HelpDesk (I
suppose Steve has no privilege to check "Installed GitHub Apps" in
that project). Or GH Support.

I'd like to learn the cause before setting the dependabot in the project.

Thanks,

Piotrek


Back to the top