Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [ee4j-pmc] Accepting changes from dependabot

Just as an idea, could we automate this somehow so that the dependabot PR is automatically checked agaist the CQ database?

-Markus

 

 

Von: ee4j-pmc-bounces@xxxxxxxxxxx [mailto:ee4j-pmc-bounces@xxxxxxxxxxx] Im Auftrag von Wayne Beaton
Gesendet: Dienstag, 17. November 2020 18:11
An: arjan tijms
Cc: ee4j-pmc PMC List
Betreff: Re: [ee4j-pmc] Accepting changes from dependabot

 

You can just accept them. 

 

Dependency updates don't generally introduce intellectual property exposures, but do note that we depend on the project team to identify third party content that may require review (i.e., if you believe that one of these changes introduces an exposure, open a CQ for it).

 

We have an issue open to resolve this.

 

Wayne

 

 

On Tue, Nov 17, 2020 at 11:50 AM arjan tijms <arjan.tijms@xxxxxxxxx> wrote:

Hi,

 

Dependabot regularly does PRs to update dependencies, but being a bot it didn't sign the ECA and I think it's not even capable of doing so.

 

Can we accept these changes or not? I've seen some people accepting them, and some people rejecting them.

 

Kind regards,

Arjan Tijms

_______________________________________________
ee4j-pmc mailing list
ee4j-pmc@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/ee4j-pmc


 

--

Wayne Beaton

Director of Open Source Projects | Eclipse Foundation, Inc.

Join us at our virtual event: EclipseCon 2020 - October 20-22

Back to the top