Snyk can alert on CVEs and it also can sent summary reports, but not sure if it works good with organizational repositories and for open source organisations.
https://github.com/ecki/commons-vfs/pull/9 But +1 for getting rid of those notifications. Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: sebb <seb...@gmail.com> Gesendet: Wednesday, December 29, 2021 12:52:39 AM An: Commons Developers List <dev@commons.apache.org> Betreff: Re: can we get rid of dependabot? +1, I agree that dependabot (rhymes with spamalot) should disabled entirely. Unfortunately moving the notification emails to a separate list won't stop the noise, unless committers ignore the PRs it creates. In which case, there's really no point in having it. What we need is notifications ONLY when a dependency has a security issue. Otherwise the sensible time to check and update dependencies is just before a release. Please let's stop the flood of largely useless mails - over 50% of commits, issues and notification emails are now caused directly or indirectly by dependabot. If it were a human sending even a few of these messages we would have banned them long ago. Sebb. On Tue, 28 Dec 2021 at 23:33, Gary Gregory <garydgreg...@gmail.com> wrote: > > There is nothing to fix in Maven: Maven does not create a branch, run the > GitHub Actions builds, and email you a report. Maven tells you what could > be updated, that's it, and it works great. Apple and oranges. > > Gary > > On Tue, Dec 28, 2021 at 5:28 PM Romain Manni-Bucau <rmannibu...@gmail.com> > wrote: > > > Not sure, guess you have dependabot oovers and haters but let stay simple: > > > > 1. If maven version plugin does not do its job let's fix it, > > 2. If release manager handles dep check before the release as most asf > > project, let's drop dependabot, > > 3. If not and dependabot is acgually useful let's make it more clever by > > checking compat between dep, handle dep baseline (prevent to use servlet 4 > > if you must be compat with v2 for ex) and OSGi meta (how many commons > > project validate it with dependabot?). > > > > From my experience 2 is the most efficient and cheaper but 3 is an option > > if somebody wants to do the investment too. > > > > Le mar. 28 déc. 2021 à 23:03, Xeno Amess <xenoam...@gmail.com> a écrit : > > > > > I think most people like me actually do not hate dependabot but hate the > > > email flood and notification flood it brings... > > > > > > XenoAmess > > > ________________________________ > > > From: Xeno Amess <xenoam...@gmail.com> > > > Sent: Wednesday, December 29, 2021 6:01:58 AM > > > To: Commons Developers List <dev@commons.apache.org> > > > Subject: Re: can we get rid of dependabot? > > > > > > junit 5 rc for example > > > > > > XenoAmess > > > ________________________________ > > > From: Xeno Amess <xenoam...@gmail.com> > > > Sent: Wednesday, December 29, 2021 6:01:35 AM > > > To: Commons Developers List <dev@commons.apache.org> > > > Subject: Re: can we get rid of dependabot? > > > > > > versions maven plugin's problem is it will bring you latest release,even > > > rc release... > > > > > > XenoAmess > > > ________________________________ > > > From: Xeno Amess <xenoam...@gmail.com> > > > Sent: Wednesday, December 29, 2021 6:00:40 AM > > > To: Commons Developers List <dev@commons.apache.org> > > > Subject: Re: can we get rid of dependabot? > > > > > > dependabot is useful but dependabot email is annoying. > > > can we find a solution and kill the dependabot emails? > > > > > > XenoAmess > > > ________________________________ > > > From: Mark Thomas <ma...@apache.org> > > > Sent: Wednesday, December 29, 2021 5:52:54 AM > > > To: dev@commons.apache.org <dev@commons.apache.org> > > > Subject: Re: can we get rid of dependabot? > > > > > > +1 > > > > > > And it isn't just the notifications an upgrade is available. The > > > associated GitHub emails are just as much of a problem. > > > > > > The Versions Maven Plugin would be a much better solution to this > > problem. > > > - Run it once as part of the pre-release process. > > > - One commit to apply all pending updates. > > > - Job done. > > > > > > Mark > > > > > > > > > On 28/12/2021 18:29, Romain Manni-Bucau wrote: > > > > +1, a lot of false positives and useless noise so the gain is rather > > not > > > > positive for me too (and we revew deps before a release anyway...when > > > there > > > > are some important ones) > > > > > > > > Romain Manni-Bucau > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > > <https://rmannibucau.metawerx.net/> | Old Blog > > > > <http://rmannibucau.wordpress.com> | Github < > > > https://github.com/rmannibucau> | > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > > > > < > > > > > https://www.packtpub.com/application-development/java-ee-8-high-performance > > > > > > > > > > > > > > > > Le mar. 28 déc. 2021 à 19:20, Phil Steitz <phil.ste...@gmail.com> a > > > écrit : > > > > > > > >> I can no longer effectively monitor commits@ due to the spam > > generated > > > >> by this tool. I am afraid my eyeballs aren't the only ones going > > > >> missing here and that is a problem much more severe than any value > > > >> provided by this tool, IMO. > > > >> > > > >> Phil > > > >> > > > >> --------------------------------------------------------------------- > > > >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > > >> For additional commands, e-mail: dev-h...@commons.apache.org > > > >> > > > >> > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
