Comment on How do you keep track of vulnerabilities?
just_another_person@lemmy.world 1 year agoWell a PR means an upstream fix for the project. If you want to scan all your local running things, by all means change whatever you want, but it will just be potentially wiped out by the tool you mentioned if running.
eager_eagle@lemmy.world 1 year ago
dependabot is a tool for repos, not to apply local changes
just_another_person@lemmy.world 1 year ago
I’m aware, but then you mentioned “manual changes”, which connotes “local changes”. Putting up a PR with changes isn’t considered a manual anything.
eager_eagle@lemmy.world 1 year ago
It doesn’t. Manual as in a PR with upgrades that you’re suggesting yourself, as opposed to running dependabot.
If I have to open a PR myself, that’s very much a manual change.
just_another_person@lemmy.world 1 year ago
I don’t even know what you’re talking about now, so I’m going to stop responding. If Dependabot was already enabled for a project, you probably wouldn’t need to worry, so that negates this entire thread. 🙄