Stream: wasmtime

Topic: turn dependabot off?


view this post on Zulip Pat Hickey (May 14 2020 at 19:54):

dependabot has been unable to parse the dependency files for a few weeks, ever since we had to use the environment variable hack for wasi-common. should we turn it off?

view this post on Zulip Pat Hickey (May 14 2020 at 19:54):

i filed a support ticket but havent heard anything

view this post on Zulip Alex Crichton (May 15 2020 at 16:02):

er meant to follow up on this but I agree -- https://github.com/bytecodealliance/wasmtime/pull/1713

Right now we're just getting a lot of noisy "can't parse manifest" error messages, and with cargo audit running on CI we should be alerted to security vulnerabilities anyway.

view this post on Zulip Pat Hickey (May 15 2020 at 16:12):

Yeah I’m not gonna hold my breath for dependabot being able to parse the unorthodox way the wasi common dep works, but I did tell support that if they didn’t want us just turning it off forever, they should have some backoff and only let it report identical messages so many times...

view this post on Zulip Dan Gohman (May 15 2020 at 16:16):

My subjective experience of dependabot is that the percentage of notifications I get that are helpful is too low overall.

view this post on Zulip Pat Hickey (May 15 2020 at 16:56):

agreed, ive yet to see it really do anything useful in the context of these projects.


Last updated: Dec 23 2024 at 14:03 UTC