Closed nathannaveen closed 2 years ago
@nathannaveen Hi, can you please sign the CLA for this? Also, do you mind explaining what would be the result after this PR, will dependabot open PRs for upgrading dependencies?
@nathannaveen Hi, can you please sign the CLA for this? Also, do you mind explaining what would be the result after this PR, will dependabot open PRs for upgrading dependencies?
@nathannaveen Hi, can you please sign the CLA for this? Also, do you mind explaining what would be the result after this PR, will dependabot open PRs for upgrading dependencies?
I have signed it, and yes it will open PRs for upgrades.
Merging #931 (8375786) into develop (dcd70b1) will decrease coverage by
0.01%
. The diff coverage isn/a
.
@@ Coverage Diff @@
## develop #931 +/- ##
===========================================
- Coverage 75.34% 75.33% -0.02%
===========================================
Files 918 918
Lines 27080 27080
Branches 1657 1673 +16
===========================================
- Hits 20404 20401 -3
- Misses 6676 6679 +3
Impacted Files | Coverage Δ | |
---|---|---|
...r/finagle/pushsession/PushChannelHandleProxy.scala | 83.33% <0.00%> (-8.34%) |
:arrow_down: |
...witter/finagle/mux/pushsession/MessageWriter.scala | 70.37% <0.00%> (-7.41%) |
:arrow_down: |
...twitter/finagle/service/PendingRequestFilter.scala | 86.36% <0.00%> (-4.55%) |
:arrow_down: |
...inagle/http2/transport/server/H2ServerFilter.scala | 82.69% <0.00%> (-1.93%) |
:arrow_down: |
.../com/twitter/finagle/tracing/BroadcastTracer.scala | 68.75% <0.00%> (+8.33%) |
:arrow_up: |
...ttp2/transport/client/Http2ClientEventMapper.scala | 100.00% <0.00%> (+9.09%) |
:arrow_up: |
...tter/finagle/dispatch/SerialClientDispatcher.scala | 100.00% <0.00%> (+16.66%) |
:arrow_up: |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact)
,ø = not affected
,? = missing data
Powered by Codecov. Last update dcd70b1...8375786. Read the comment docs.
Hi @nathannaveen, thank you for adding dependabot to our repository! Since this involves detecting and resolving vulnerabilities for our project, we need to consult with our security group to understand the outcome a bit more. I am in touch with them and will keep you posted on the progress.
Hi @nathannaveen, we are already using a similar security tooling to scan and monitor our repositories. Based on the investigation, Dependabot performs the similar functionality. So we are leaning towards using the existing tooling. I am going to close this pr, please re-open if you feel strongly about adding Depandabot, thank you!
This should help with keeping the GitHub actions updated on new releases. This will also help with keeping it secure.
Dependabot helps in keeping the supply chain secure https://docs.github.com/en/code-security/dependabot
GitHub actions up to date https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot
https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool Signed-off-by: nathannaveen 42319948+nathannaveen@users.noreply.github.com