Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependabot isn't as dependable as people would like it to be? :-) #26554

Closed
trixpan opened this issue Jul 5, 2022 · 6 comments · Fixed by #26611
Closed

Dependabot isn't as dependable as people would like it to be? :-) #26554

trixpan opened this issue Jul 5, 2022 · 6 comments · Fixed by #26611
Labels
area/housekeeping Issue type for generalized tasks not related to bugs or enhancements
Milestone

Comments

@trixpan
Copy link
Contributor

trixpan commented Jul 5, 2022

Description

Hi,

was tracking a snyk vulnerability in a project we use quarkus and noticed mermaid-js was out of date.

Checking the .github/dependabot.yml I can wee the package should have been auto-updated, yet, seems to have been forgotten?

@gsmet tagging you as you seem to be the 3PP overlord atm. ;-)

Implementation ideas

No response

@trixpan trixpan added the area/housekeeping Issue type for generalized tasks not related to bugs or enhancements label Jul 5, 2022
@trixpan
Copy link
Contributor Author

trixpan commented Jul 5, 2022

added #26555 meanwhile

@geoand
Copy link
Contributor

geoand commented Jul 5, 2022

We have a comment saying:

<!-- we don't add mermaid as a dependency as it brings a ton of things we don't use -->

which is I guess why we have not added the dependency to the dependencyManagement section of the build-parent pom.xml.
I assume this is why dependabot is not updating the dependency.

@trixpan
Copy link
Contributor Author

trixpan commented Jul 5, 2022

@geoand it may be. I saw that comment and was a bit puzzled tbh. The wonders of maven... :-)

@geoand
Copy link
Contributor

geoand commented Jul 5, 2022

So we should either remove the comment (if it is no longer applicable), or comment out dependabot configuration for mermaid (with the appropriate explanation)

@geoand
Copy link
Contributor

geoand commented Jul 6, 2022

cc @gsmet

@gastaldi
Copy link
Contributor

gastaldi commented Jul 7, 2022

I created #26611 which makes the dependency visible to Dependabot and excludes any unwanted dependencies from where it is used

gsmet pushed a commit that referenced this issue Jul 11, 2022
@quarkus-bot quarkus-bot bot added this to the 2.11 - main milestone Jul 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/housekeeping Issue type for generalized tasks not related to bugs or enhancements
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants