Closed dependabot[bot] closed 3 years ago
CLAassistant
commented
3 years ago
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.
javagl
commented
3 years ago @weegeekps There are several automated PRs open. I'm tempted to just hit "Merge" on them, because from my experience, usually, the dependabot updates work (but this refers to the Java world). Would it be OK to just give it a try, and if it fails, just roll back and open an issue for further investigation?
weegeekps
commented
3 years ago @javagl Dependabot can be really hit or miss in the JavaScript world. Sometimes there's no issue, others it causes major problems. Most of these things that get flagged actually are in dev tooling that doesn't get bundled with the webapp itself.
I've been really lax on keeping this repo updated lately due to me being hyper-focused on the Metadata efforts. I am going to set aside some time this evening to get things updated. If you are interested, I would gladly take some time to cross train you on how to update Create React App so both of us can do this. Please let me know and we can set up a short meeting some day.
javagl
commented
3 years ago I don't know whether some specific "training" will be necessary - I thought that this was mainly (roughly) about 1. checking out the fixed branch locally, 2. running the build and check the result, and 3. hitting 'merge' if everything works. (or is there more to that?).
More generally, there's this quote of "Never change a running system" (and vice versa :-) ). So iff these updates are just "version bumps for the sake of version bumps", and as long as they are not related to bugfixes that are immediately relevant for us, or (more importantly) security fixes for the deployed result, I think they can all be integrated when there is a dedicated update or "new release".
weegeekps
commented
3 years ago Most of the dependencies that we get flagged on for security reasons are actually dependencies of another package we are currently using. There are a few commands that can be run to figure out exactly which of the dependencies we should update but the most useful these is yarn audit. I believe Dependabot actually uses that itself for auditing a project.
In our case, 9/10 times the issue is in the react-scripts package which means we have to update Create React App. Accepting these from Dependabot is a dice roll, but more often than not it will break things. I am working on finishing up an update to Project Explorer where I'm updating as many of the packages as possible, and adding overrides for a few of the packages that we don't directly use. Stay tuned; this has taken a day or two but I hope to have a PR opened soon.
weegeekps
commented
3 years ago Opened #79. I am going to close these three Dependabot PRs.
dependabot[bot]
commented
3 years ago OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
Bumps ssri from 6.0.1 to 6.0.2.
Changelog
Sourced from ssri's changelog.
Commits
b7c8c7cchore(release): 6.0.2b30dfdbfix: backport regex change from 8.0.1Maintainer changes
This version was pushed to npm by nlf, a new releaser for ssri since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/KhronosGroup/glTF-Project-Explorer/network/alerts).