Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Update dependabot.yml template #1813

Merged
merged 2 commits into from
Jun 16, 2023
Merged

chore: Update dependabot.yml template #1813

merged 2 commits into from
Jun 16, 2023

Conversation

ddixit14
Copy link
Contributor

@ddixit14 ddixit14 commented Jun 15, 2023
edited
Loading

@ddixit14 ddixit14 requested a review from a team as a code owner June 15, 2023 17:14
suztomo
suztomo reviewed Jun 15, 2023
View reviewed changes
synthtool/gcp/templates/java_library/.github/dependabot.yml
@@ -11,4 +11,7 @@ updates:
schedule:
interval: "daily"
# Disable version updates for pip dependencies
open-pull-requests-limit: 0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This already says "# Disable version updates for pip dependencies"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit

This option has no impact on security updates, which have a separate, internal limit of ten open pull requests.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the security category is how this is leaking through.

Releases notes for the dependency list security in what was fixed.

Cryptography probably implicitly gets categorized as security

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes.

@alicejli
Copy link
Contributor

General question : is this update because we're moving to renovate-bot?

@suztomo
Copy link
Member

suztomo commented Jun 16, 2023

@alicejli # we use renovate-bot as well as shared-dependencies BOM to update maven dependencies.

@suztomo suztomo merged commit f961eb0 into master Jun 16, 2023
@suztomo suztomo deleted the ddixit14-patch-1 branch June 16, 2023 02:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BenWhitehead BenWhitehead BenWhitehead left review comments

@suztomo suztomo suztomo approved these changes

Assignees

@chingor13 chingor13

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ddixit14 @alicejli @suztomo @BenWhitehead @chingor13