enable dependabot for opensearch repositories #664
Comments
rursprung
added
the
enhancement
|
This is a really good point. Let me turn it around and ask -- is there any reason why we wouldn't turn on updating? @hyandell? |
|
Please turn them on :) |
|
i think this needs to be looked at first by somebody with access to the repository settings.
it can still be enabled manually by providing a |
|
I assigned this to @CEHENKLE, much thanks! |
|
Thanks @rursprung again for the callout. We've enabled dependency graph, dependabot alerts and dependabot security updates on all OpenSearch repos at the org level, This should impact all current repos, as well as all new repos created. I'm not 100% sure how it'll work for a complex multi-project gradle build without some more work, but it gives us a target to hit. Thanks again, |
|
@CEHENKLE: are you sure that this worked? i haven't seen a single PR from dependabot being opened on this repo and can't imagine that there wouldn't be any dependency which it'd want to update (unless you're all super fast in updating to the latest versions of all dependencies at all times when they come out?) |
|
@rursprung Hm, that's weird. Let me take a look at that today. Thanks for the ping! |
|
Dependabot is enabled on OpenSearch and Dashboards repos and I could see dependabot based alerts and PRs on OpenSearch-Dashboards repository (see here), however, I don't know yet why we don't have such alerts on OpenSearch. I was thinking it could be due to missing dependabot configuration file, as described here - "You enable Dependabot version updates by checking a configuration file into your repository." (reference) but then I didn't see any such configuration file in Dashboards repo as well. Will try to dig more on this later |
…t#664) * Adding workflow to increment version after release on the 2.x branch Signed-off-by: Vacha Shah <vachshah@amazon.com> * Added CHANGELOG Signed-off-by: Vacha Shah <vachshah@amazon.com> --------- Signed-off-by: Vacha Shah <vachshah@amazon.com>
Is your feature request related to a problem? Please describe.
i noticed that dependency updates seem to be done manually (see e.g. #661). this means that there's no guarantee that all dependencies are up-to-date and do not contain any known vulnerabilities.
some users (esp. corporate users) will run 3rd party artifact scanning on all software which they run/ship and will block it if it contains known vulnerabilities (regardless of whether there's a known way to exploit it with this software or it's just part of a library which is being pulled in but that part isn't even being used).
keeping dependencies updated with an automated process will prevent unnecessary last-minute manual updates.
Describe the solution you'd like
github has a feature called dependabot which automatically keeps track of the dependencies in a repository and creates pull request to update the dependencies when newer versions become available.
note: this doesn't just apply to this repo here but instead to all opensearch-project repos.
Describe alternatives you've considered
manual updates don't scale (things are being overlooked, etc.).
of course dependabot (and any other such feature) only works if dependencies make use of semver.
for major releases of dependencies the change must still be done manually since more adaptations will be needed (but who knows, maybe one day this can be automated away as well? 😃)
Additional context
see the dependabot documentation
The text was updated successfully, but these errors were encountered: