Included Dependabot #2980
Included Dependabot #2980
Conversation
|
Hi @nathan-415. Thanks for your PR. I'm waiting for a google member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
In addition, there are a few Dockefiles under |
Enable dependabot to get security updates and if needed version updates on dependencies.
nathannaveen
force-pushed
the
nathan/dependabot
branch
from
e46cf28
to
485aea9
Compare
I have included for |
|
@kolyshkin I have made the changes you have requested. |
|
/ok-to-test |
|
looks good, thanks @nathan-415 ! |
I understand what LGTM, but what is “nb"? |
|
"non binding" I think :) |
|
Oh well, this opened a gates of hell. Problem is, dependabot updates go deps for main module and for ./cmd separately, and this breaks CI for both PRs. Unless there's some sort of an option to do this at once, it's not going to work (except as a reminder to update). |
|
Yes, it sounds like dependabot might be more trouble that it's worth. In addition to the issue of update of ./cmd and ./ main module being separated and breaking CI, there's another issue that since cAdvisor is vendored into k/k and dependency updates in cAdvisor will have to make it back in k/k. k/k sometimes sticks to older versions of dependencies for various reasons/blockers, so to avoid churn when vendoring cAdvisor back into k/k I think we should stick with manual updates. Github will still alert for any dependencies with security issues, so we should be made aware of out of date deps with security issues. As a result of those two reasons, let's revert dependabot for now. |
Thanks, makes sense. I hope you have enabled the Dependabot settings to get security updates. |
What changes were proposed in this pull request?
Enable dependabot to get security updates and if needed version updates on dependencies
Why are the changes needed?
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically
Having knowledge about vulnerabilities of the dependencies helps the project owners decide on their dependency's security posture to make decisions.
If the project decides to get updates only on security updates and not on any version updates then setting these options would not open any PR's open-pull-requests-limit: 0
This option has to be enabled in the security section of the project.
https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates#managing-dependabot-security-updates-for-your-repositories
This is a recommendation from OSSF: https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool which is part of the Linux Foundation.