Skip to content

Create Dependabot config file #86

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 21, 2021
Merged

Create Dependabot config file #86

merged 1 commit into from
Feb 21, 2021

Conversation

naveensrinivasan
Copy link
Member

Enable Dependabot for security notifications on dependencies https://dependabot.com/

inferno-chromium
inferno-chromium approved these changes Feb 21, 2021
View reviewed changes
.github/dependabot.yml
@@ -0,0 +1,7 @@
version: 2
updates:
- package-ecosystem: pip
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why pip ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I use the dependabot to generate this. I don't know what package manager the repository uses. Is this wrong?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://dependabot.com/docs/config-file/#package_manager-required
Should be these i think
go:modules
go:dep

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any package manager in this repository. Am I missing something?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dont know this. i only see docker container as package, dont see scorecard released as a go package (maybe we should). @dlorenc - can you help to review and see what is needed here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn’t this Python repo have dependency on pip packages?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't see the repo, got confused with scorecards, yes criticality score is all pip.

inferno-chromium
inferno-chromium suggested changes Feb 21, 2021
View reviewed changes
Copy link
Contributor

@inferno-chromium inferno-chromium left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes needed as per comment above.

inferno-chromium
inferno-chromium approved these changes Feb 21, 2021
View reviewed changes
.github/dependabot.yml
@@ -0,0 +1,7 @@
version: 2
updates:
- package-ecosystem: pip
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't see the repo, got confused with scorecards, yes criticality score is all pip.

@inferno-chromium inferno-chromium merged commit 3759e10 into ossf:main Feb 21, 2021
@naveensrinivasan naveensrinivasan deleted the dependabot/add-v2-config-file branch February 21, 2021 22:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inferno-chromium inferno-chromium inferno-chromium approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@naveensrinivasan @inferno-chromium