Comment on How do you keep track of vulnerabilities?
just_another_person@lemmy.world 2 months agoWell a PR means an upstream fix for the project. If you want to scan all your local running things, by all means change whatever you want, but it will just be potentially wiped out by the tool you mentioned if running.
eager_eagle@lemmy.world 2 months ago
dependabot is a tool for repos, not to apply local changes
just_another_person@lemmy.world 2 months ago
I’m aware, but then you mentioned “manual changes”, which connotes “local changes”. Putting up a PR with changes isn’t considered a manual anything.
eager_eagle@lemmy.world 2 months ago
It doesn’t. Manual as in a PR with upgrades that you’re suggesting yourself, as opposed to running dependabot.
If I have to open a PR myself, that’s very much a manual change.
just_another_person@lemmy.world 2 months ago
I don’t even know what you’re talking about now, so I’m going to stop responding. If Dependabot was already enabled for a project, you probably wouldn’t need to worry, so that negates this entire thread. 🙄