Closed step-security-bot closed 1 year ago
markt-asf
commented
1 year ago @fperezel I am minded to reject this PR. The EL API has no runtime dependencies (the build time dependencies are not a security concern) and my experience of Dependabot in other projects is that it generates a LOT of unnecessary noise.
ghost
commented
1 year ago Hi @markt-asf,
I understand your concern and I would say that dependabot alerts about version update by default (including security). Thus I have updated this PR to configure dependabot only for alert about security which something recommended in case dependabot only security updates is needed.
So before making a decision I do recommend having enabled dependabot only for security updates as at any time this PR could be reverted, what do you think?
Please find more information here about configuring dependabot for only alert about security updates, https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates
Cheers, FP
markt-asf
commented
1 year ago @fperezel there are no runtime dependencies to update (for security or any other reason) so I still do not see the benefiting of accepting this PR.
markt-asf
commented
1 year ago @step-security-bot I still haven't seen a justification for this PR so unless one is provided in the next few days I intend to close the PR without merging and to close the associated issue as "Not relevant".
ghost
commented
1 year ago Hi @markt-asf
in short-term a repo without runtime or third party dependency, enabling dependabot for Security Update may not be a benefit, however in a mid or long term if the repo evolve to have dependencies this PR could be a benefit as it is already enabled, couldn't it?
Finally, as long as there is a process to review the security of this repo this PR may be closed without merge.
markt-asf
commented
1 year ago It is highly unlikely that EL will ever add runtime dependencies. If it does, we can review the use of dependabot at that time.
Summary
This pull request is created by Secure Repo at the request of @fperezel. Please merge the Pull Request to incorporate the requested changes. Please tag @fperezel on your message if you have any questions related to the PR. You can also engage with the StepSecurity team by tagging @step-security-bot.
Security Fixes
resolve: #199
Keeping your actions up to date with Dependabot
With Dependabot version updates, when Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF).
Feedback
For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo. To create such PRs, please visit https://app.stepsecurity.io/securerepo.
Signed-off-by: StepSecurity Bot bot@stepsecurity.io