Replies: 1 comment 1 reply
-
Here on my work I use the dependabot and works fine, helps me to avoid using an outdated library and keeps the application very stable and with the latest versions, but I believe an open-source library could be bad since we need to keep it as more compatibility as possible, but it's good to keep it on to check if we're using some library with the security issue. |
Beta Was this translation helpful? Give feedback.
-
Can dependabot only do this? I'm reading through https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates but I feel a bit overwhelmed to distill if it can be configured to suggest bumps of dependencies only if security issues were discovered. |
Beta Was this translation helpful? Give feedback.
-
See https://github.com/PHP-Open-Source-Saver/jwt-auth/compare/dependabot/add-v2-config-file
I think this was inherited from tymondesigns/jwt-auth . I've never used dependabot and thus I'm not sure if its a fit for our lib.
Usually we want to keep the compatibility as broad as possible, except for security issues.
Does anyone know how this works in practice?
Beta Was this translation helpful? Give feedback.
All reactions