Replies: 2 comments 2 replies
-
|
That's not possible I'm afraid for two reasons:
|
Beta Was this translation helpful? Give feedback.
-
We could blacklist those specific dependencies so that they are not upgraded automatically (note that a Dependabot PR will still have to go through the regular approval process). If these dependencies are shared between our project and WildFly/Quarkus do we really need to list them? Will they not get included simply because we have a direct dependency on a specific version of WildFly/Quarkus?
Although a valid point I would consider CVE scanning to be a separate concern from providing PRs to update to the latest version of a given dependency. Although admittedly it would be nice to have a tool that does both. |
Beta Was this translation helpful? Give feedback.
-
|
I was looking at making some PRs based on updating dependencies that are having CVE issues reported by Sonatype CLM. We use sonatype for eve scanning and dependabot for version updating at my work. Besides not upgrading quarkus/wildfly dependencies directly are there any other restrictions I should be aware of? Dependabot might still be a viable option btw as each upgrade is a separate PR and you can choose to ignore. Not sure if you can configure dependant to ignore certain libraries as I didn't set up our CICD or configure. Also if Im doing these version changes as a PR do I need to limit to one dependency per PR (if Possible)? or can I submit multiple as a single PR? |
Beta Was this translation helpful? Give feedback.
-
You can actually, there is an
I would say if they are security issues that need to be resolved that you should follow our security policy. |
Beta Was this translation helpful? Give feedback.
-
We can use Dependabot to keep packages we use updated to the latest versions. This will ensure that we can do timely updates for our dependencies without having to make massive PRs that update all of them together at the same time.
Beta Was this translation helpful? Give feedback.
All reactions