Update dependabot.yml - Githubissues

rubyforgood / human-essentials

Human Essentials is an inventory management system for diaper, incontinence, and period-supply banks. It supports them in distributing to partners, tracking inventory, and reporting stats and analytics.

https://humanessentials.app

MIT License

446 stars 473 forks source link

Update dependabot.yml #4461

Closed dorner closed 3 months ago

dorner commented 3 months ago

Daily updates are really annoying. Much prefer monthly so I can knock them out at once.

cielf commented 3 months ago

@dorner I grok that -- only thing I would want to ask is whether there is any security downside, and how we might mitigate it if there is?

dorner commented 3 months ago

It's incredibly rare for a security problem to be so bad that you have to update in less than a month. We don't upgrade Ruby versions for well over a year, and it's far more likely for security to be addressed in big packages like Ruby or Rails, which generally aren't covered by Dependabot because they need manual work.

github-actions[bot] commented 3 months ago

@dorner: Your PR Update dependabot.yml is part of today's Human Essentials production release: 2024.06.23. Thank you very much for your contribution!