Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orb-dev] Source for dependabot PR 151 in ORB
  • From: "Steve Millidge (Payara)" <steve.millidge@xxxxxxxxxxx>
  • Date: Thu, 9 Feb 2023 17:15:37 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CRKnTzKM/JAgcdBsO43B/j1h+wyAYCiaFhE0ncYwA7A=; b=PAqEW0BGdq5FRE9iyH0RLeuGKl9DYwrthx9qvBaUNFcCVF0xUFn4hZHZ+aSVd6l5FdCRQu8Pp/X8xc/LhVnRM9sxj7ukmkg3rnvmkDvPfeO9HOKBGDbg3UM67rn1VunqXvqY+MjJY2ByT42rl4J5FA2LanHRjenimaQKNPQfjpuT/LWL45R7UWY62bCbCIvGXRdqeDzNm2wyfGClkM7ZKqQ+rSb9ZPiyAojsBvfAmG1IPuQKEr8gHaIZCSeG8Oo2VoohqfwUbwj+o/LnIC8L7hE+R/98OnoU0jVijxSw14QP6H4wJ9TjN5lwIdEQhm3TU9qWj1cM6UlNrZuok7qQww==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=D0GzBv+ns3tNv3mzcSYnZFp055zuevVGlvUO4AmeddDvIU5jjTwg0N+cVZRwFMHgsEtYhgWjA1tkT2zaQmLb0jzNJWzenvQt2FGavpHAc4w6TRnbSGkoyI/+wavIAAZ9xfXkCNSDgFrOictrgzTwOxOwdsGA1rS7pZbEgHewHfRQvtakV6op8Q1/9SetKjAp9MYDwa7IRK51ZBzLu4w1h/WgiLOxMYpJhNSPMYroqvSKM5/SO0dZpaPtQAJRy41deMI7Oj65whCX7SdqOyizgkWwoYuCAzDvnzIVJQq/t8be6qnOLebCQGkpUvN/Xx+L7usOvlEWRdkkgmVNBjGQYw==
  • Delivered-to: orb-dev@xxxxxxxxxxx
  • List-archive: <>
  • List-help: <>
  • List-subscribe: <>, <>
  • List-unsubscribe: <>, <>
  • Thread-index: AQHZOLmZ4NhwwRFwfEuao2vk8VEjdK7G4r+A
  • Thread-topic: [orb-dev] Source for dependabot PR 151 in ORB

Is it something that GitHub is just doing as it says " commented on behalf of github"? I can't see configured GitHub apps on this project. However we get these on some Payara repos without us configuring the bot specifically. I think it is something you have to explicitly switch off?

Don't know why it has only showed up now. If you go to this page you can see that dependabot is enabled. 


-----Original Message-----
From: orb-dev <orb-dev-bounces@xxxxxxxxxxx> On Behalf Of Piotr Zygielo
Sent: 04 February 2023 16:56
To: orb developer discussions <orb-dev@xxxxxxxxxxx>
Subject: [orb-dev] Source for dependabot PR 151 in ORB


I'm troubled by the source for

Dependabot v2 is not configured in the repository directly and there is no security advisory
( published to justify it.

I just wonder:
- what triggered this PR,
- why bot was silent for all versions between 6.10 to 7.7.0,
- why it bumps TestNG to 7.7.0 instead of 7.7.1 which is one month+ old,
- why are other dependencies not bumped?

The last previous PR - - was created in 2020. I might not remember this correctly, but it's possible it was external service then.

Perhaps someone can provide some details before I reach EF HelpDesk (I suppose Steve has no privilege to check "Installed GitHub Apps" in that project). Or GH Support.

I'd like to learn the cause before setting the dependabot in the project.


orb-dev mailing list
To unsubscribe from this list, visit

Back to the top