Java Dependencies Updating

[ma...@makr.zone]

Dear Java experts on the group!

I'm not the "big Java project" expert, therefore I need your advice.

We have several Pull Requests that want to upgrade dependencies, generated by bots. Is it okay to merge these?

https://github.com/openpnp/openpnp/pulls?q=is%3Apr+is%3Aopen+label%3Adependencies

Can I trust these?

_Mark

[Jason von Nieda]

My recommendation is to close them without merging, unless someone feels strongly enough to give it a proper review. I personally don't think they are worth it, as they are just low effort bot posts.

As far as trust, I would trust the ones from dependabot, being a Github service, to not be malicious, but that's all. The others I wouldn't trust at all without reviewing them fully.

Without reviewing, we don't know if the supposed security risk actually applies to OpenPnP, or if the proposed change actually fixes it.

Jason

--

You received this message because you are subscribed to the Google Groups "OpenPnP" group.

To unsubscribe from this group and stop receiving emails from it, send an email to openpnp+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/openpnp/5ff08ff7-955e-4715-a45e-60a15df68618n%40googlegroups.com.