Java Dependencies Updating

55 views
Skip to first unread message

ma...@makr.zone

unread,
Apr 3, 2024, 4:30:14 AMApr 3
to OpenPnP
Dear Java experts on the group!

I'm not the "big Java project" expert, therefore I need your advice.

We have several Pull Requests that want to upgrade dependencies, generated by bots. Is it okay to merge these?


Can I trust these?

_Mark


Jason von Nieda

unread,
Apr 3, 2024, 4:40:21 PMApr 3
to OpenPnP
My recommendation is to close them without merging, unless someone feels strongly enough to give it a proper review. I personally don't think they are worth it, as they are just low effort bot posts.

As far as trust, I would trust the ones from dependabot, being a Github service, to not be malicious, but that's all. The others I wouldn't trust at all without reviewing them fully.

Without reviewing, we don't know if the supposed security risk actually applies to OpenPnP, or if the proposed change actually fixes it.

Jason
--
You received this message because you are subscribed to the Google Groups "OpenPnP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openpnp+u...@googlegroups.com.

Reply all
Reply to author
Forward
0 new messages