Re: [orb-dev] Source for dependabot PR 151 in ORB

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [orb-dev] Source for dependabot PR 151 in ORB

From: Piotr Żygieło <piotr.zygielo@xxxxxxxxx>
Date: Thu, 9 Feb 2023 18:57:23 +0100
Delivered-to: orb-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/orb-dev/>
List-help: <mailto:orb-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/orb-dev>, <mailto:orb-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/orb-dev>, <mailto:orb-dev-request@eclipse.org?subject=unsubscribe>

Thanks Steve,

On Thu, 9 Feb 2023 at 18:15, Steve Millidge (Payara)
<steve.millidge@xxxxxxxxxxx> wrote:
>
> Is it something that GitHub is just doing as it says " commented on behalf of github"? I can't see configured GitHub apps on this project. However we get these on some Payara repos without us configuring the bot specifically. I think it is something you have to explicitly switch off?

> Don't know why it has only showed up now. If you go to this page https://github.com/eclipse-ee4j/orb/security you can see that dependabot is enabled.

It looks the vulnerability was patched in just released 7.7.0 - that's
why only now it resulted in PR.

> https://github.com/eclipse-ee4j/orb/security

Yes!

HOW could I miss THAT? It's just one click away from Advisories! And I
WAS looking for exactly that - dependabot vuln. alerts.

This is all clear now.

Thank you,

Piotrek

References:
- [orb-dev] Source for dependabot PR 151 in ORB
  - From: Piotr Żygieło
- Re: [orb-dev] Source for dependabot PR 151 in ORB
  - From: Steve Millidge (Payara)

Prev by Date: Re: [orb-dev] Source for dependabot PR 151 in ORB
Next by Date: [orb-dev] 4.2.5 ORB Release
Previous by thread: Re: [orb-dev] Source for dependabot PR 151 in ORB
Next by thread: [orb-dev] 4.2.5 ORB Release
Index(es):
- Date
- Thread

Breadcrumbs