Closed drawks closed 1 year ago
orta
commented
1 year ago These things get very annoying very quickly at my scale of OSS and I would just ignore them, I'm open to slow deliberate PRs fixing things as they come along but not dumb spam from bots
drawks
commented
1 year ago The counterpoint is that these types of integrations can be tuned to limit the rate at which they generate PRs, and with any code base with decent test coverage it should be relatively trivial to evaluate the majority of upstream dependency upgrades for breaking changes.
Even if the bot reports something that is non-impacting, the generated PRs make a great persistent place to note that your project isn't impacted by the noted flaw/vulnerability.
Ultimately it is your project, so you saying no to the suggestion is perfectly valid.
As a user though I'm left wondering if maybe it'd be safer to have the time of your contributors be spent evaluating/reviewing regular predictable PRs for normal dependency housekeeping rather than have those contributor be expected to "slowly and deliberately" do work which is easily farmed out to automation.
orta
commented
1 year ago Yeah, your perspective is very valid.
If something like that is important to someone they will send a PR, most CVEs in the JS ecosystem aren't really very useful and forcing all downstream deps to update is a waste of maintainer time.
I've maintained all these dangers for 8 years, in addition to a bunch of other projects by not having them suck up my time, so I'm not going to add those sorts of emails 👍🏻
As mentioned briefly in #1275 there are quite a few outdataed dependencies in the lockfiles for this project. If the maintainers could enable github's dependabot integration it would give a nice steady flow of alerts and potentially automated pull requests to help keep the project safer by not leaving it stuck on versions of dependencies with known issues.