Comment on How do you keep track of vulnerabilities?
eager_eagle@lemmy.world 1 month agoThat may work for a handful of projects. It’d be my full time job if I did it for everything I run. Also, I might simply suggest maintainers to adopt dependabot or an alternative before I spend time with manual changes. These things should be automated.
just_another_person@lemmy.world 1 month ago
Well a PR means an upstream fix for the project. If you want to scan all your local running things, by all means change whatever you want, but it will just be potentially wiped out by the tool you mentioned if running.
eager_eagle@lemmy.world 1 month ago
dependabot is a tool for repos, not to apply local changes
just_another_person@lemmy.world 1 month ago
I’m aware, but then you mentioned “manual changes”, which connotes “local changes”. Putting up a PR with changes isn’t considered a manual anything.
eager_eagle@lemmy.world 1 month ago
It doesn’t. Manual as in a PR with upgrades that you’re suggesting yourself, as opposed to running dependabot.
If I have to open a PR myself, that’s very much a manual change.