Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend ecosystems in Dependabot workflow #120

Closed
wants to merge 1 commit into from
Closed

Extend ecosystems in Dependabot workflow #120

wants to merge 1 commit into from

Conversation

ScottBrenner
Copy link
Contributor

@ScottBrenner ScottBrenner mentioned this pull request Dec 21, 2024
Merged
@punmechanic
Copy link
Member

Hey Scott, thanks! I'll review this once I am back at work on the 6th January 2025.

@punmechanic
Copy link
Member

So, my hesitance in accepting this is that it conflates "newer" with "better". The versions of the dependencies we have now work and don't have any vulnerabilities that cause issues. I'm pretty OK with keeping the dependencies as is; upgrading poses risks (breakages, introduced vulnerabilities in newer versions or bugs) and little upside (we intentionally want the behavior to stay exactly the same).

If this were software-as-a-service, where fixing a broken deploy was cheap, I'd be more open to it - but this is an executable that's not intended to be updated by users frequently. Releasing a release with bugs is difficult to fix since it's not baked into a package manager. For what it's worth, we intentionally vendor all of these dependencies internally

@ScottBrenner ScottBrenner deleted the patch-1 branch January 13, 2025 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ScottBrenner @punmechanic