Java Dependencies Updating

Skip to first unread message

Apr 3, 2024, 4:30:14 AMApr 3
to OpenPnP
Dear Java experts on the group!

I'm not the "big Java project" expert, therefore I need your advice.

We have several Pull Requests that want to upgrade dependencies, generated by bots. Is it okay to merge these?

Can I trust these?


Jason von Nieda

Apr 3, 2024, 4:40:21 PMApr 3
to OpenPnP
My recommendation is to close them without merging, unless someone feels strongly enough to give it a proper review. I personally don't think they are worth it, as they are just low effort bot posts.

As far as trust, I would trust the ones from dependabot, being a Github service, to not be malicious, but that's all. The others I wouldn't trust at all without reviewing them fully.

Without reviewing, we don't know if the supposed security risk actually applies to OpenPnP, or if the proposed change actually fixes it.

You received this message because you are subscribed to the Google Groups "OpenPnP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to

Reply all
Reply to author
0 new messages