Comment on How do you keep track of vulnerabilities?
just_another_person@lemmy.world 5 weeks agoWell a PR means an upstream fix for the project. If you want to scan all your local running things, by all means change whatever you want, but it will just be potentially wiped out by the tool you mentioned if running.
eager_eagle@lemmy.world 5 weeks ago
dependabot is a tool for repos, not to apply local changes
just_another_person@lemmy.world 5 weeks ago
I’m aware, but then you mentioned “manual changes”, which connotes “local changes”. Putting up a PR with changes isn’t considered a manual anything.
eager_eagle@lemmy.world 5 weeks ago
It doesn’t. Manual as in a PR with upgrades that you’re suggesting yourself, as opposed to running dependabot.
If I have to open a PR myself, that’s very much a manual change.
just_another_person@lemmy.world 5 weeks ago
I don’t even know what you’re talking about now, so I’m going to stop responding. If Dependabot was already enabled for a project, you probably wouldn’t need to worry, so that negates this entire thread. 🙄