Comment on How do you keep track of vulnerabilities?
just_another_person@lemmy.world 10 months agoWell a PR means an upstream fix for the project. If you want to scan all your local running things, by all means change whatever you want, but it will just be potentially wiped out by the tool you mentioned if running.
eager_eagle@lemmy.world 10 months ago
dependabot is a tool for repos, not to apply local changes
just_another_person@lemmy.world 10 months ago
I’m aware, but then you mentioned “manual changes”, which connotes “local changes”. Putting up a PR with changes isn’t considered a manual anything.
eager_eagle@lemmy.world 10 months ago
It doesn’t. Manual as in a PR with upgrades that you’re suggesting yourself, as opposed to running dependabot.
If I have to open a PR myself, that’s very much a manual change.
just_another_person@lemmy.world 10 months ago
I don’t even know what you’re talking about now, so I’m going to stop responding. If Dependabot was already enabled for a project, you probably wouldn’t need to worry, so that negates this entire thread. 🙄