Mastodon

Josh JusticeAnd another happy <a href="https://tdd.social/tags/dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dependabot</a> monthly updates day to those who celebrate!

Nikita KaramovAt this point <a href="https://fosstodon.org/tags/Vite" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Vite</a> should just throw their dev server away or expose it as an additional package. I'm tired of all those <a href="https://fosstodon.org/tags/Dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Dependabot</a> MRs fixing the sEcUrItY vUlNeRaBiLiTiEs"Only apps explicitly exposing the Vite dev server to the network are affected" well yeah cause you're not supposed to do it 😩

Alessandro LaiIf you're using <a href="https://phpc.social/tags/dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dependabot</a> with a <a href="https://phpc.social/tags/php" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#php</a> library that still supports 7.4, it doesn't work now.This is due to them ditching 7.4 with this PR: <a href="https://github.com/dependabot/dependabot-core/issues/6527" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/dependabot/dependabot-core/issues/6527</a>I can understand pushing for the upgrade due to 7.4 being EOL, but that was a silent failure that I wasn't expecting. Also, if I'm not actively dropping support i.e. because it doesn't cost me anything in maintenace, I'm stuck.

David Guillot🚀 Great news for <a href="https://social.tchncs.de/tags/python" class="mention hashtag" rel="tag">#python</a> developers! <a href="https://social.tchncs.de/tags/dependabot" class="mention hashtag" rel="tag">#dependabot</a> now supports <a href="https://social.tchncs.de/tags/uv" class="mention hashtag" rel="tag">#uv</a> <a href="https://social.tchncs.de/tags/astraluv" class="mention hashtag" rel="tag">#astraluv</a> . Nothing stands between your codebase and almost-instant <a href="https://social.tchncs.de/tags/dependencymanagement" class="mention hashtag" rel="tag">#dependencymanagement</a>!<a href="https://github.blog/changelog/2025-03-13-dependabot-version-updates-now-support-uv-in-general-availability/" target="_blank" rel="nofollow noopener noreferrer" translate="no">https://github.blog/changelog/2025-03-13-dependabot-version-updates-now-support-uv-in-general-availability/</a>

Chris is.If you're not following it closely, you might have missed that <a href="https://wandering.shop/tags/uv" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#uv</a> support in <a href="https://wandering.shop/tags/dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dependabot</a> is now available in beta: <a href="https://github.com/dependabot/dependabot-core/issues/10478#issuecomment-2691330949" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/dependabot/dependabot-core/issues/10478#issuecomment-2691330949</a><a href="https://wandering.shop/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a>

viqRunning <a href="https://social.hackerspace.pl/tags/Authentik" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Authentik</a> with `latest` tag was convenient for <a href="https://social.hackerspace.pl/tags/homelab" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#homelab</a>, but they're moving away from making it possible (edit: from having :latest tag available, nothing else changes). What are the alternatives? Is there maybe something like "<a href="https://social.hackerspace.pl/tags/dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dependabot</a> but for <a href="https://social.hackerspace.pl/tags/kubernetes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#kubernetes</a> images"? (I'm currently running on <a href="https://social.hackerspace.pl/tags/podman" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#podman</a> on nixos, but I'm considering finally playing with <a href="https://social.hackerspace.pl/tags/k8s" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#k8s</a>, and regardless, this should be able to make it so I have proper image on nixos as well, I think)

LavX NewsDependabot Drops Support for Python 3.8: What Developers Need to KnowIn a significant shift for Python developers, Dependabot has officially ceased support for Python 3.8 as of February 5, 2025. This change underscores the importance of keeping up with language updates...<a href="https://news.lavx.hu/article/dependabot-drops-support-for-python-3-8-what-developers-need-to-know" rel="nofollow noopener noreferrer" target="_blank">https://news.lavx.hu/article/dependabot-drops-support-for-python-3-8-what-developers-need-to-know</a><a href="https://mastodon.cloud/tags/news" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#news</a> <a href="https://mastodon.cloud/tags/tech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#tech</a> <a href="https://mastodon.cloud/tags/SoftwareSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SoftwareSecurity</a> <a href="https://mastodon.cloud/tags/Dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Dependabot</a> <a href="https://mastodon.cloud/tags/Python3" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python3</a>

James :ruby:> Dependabot security updates may include compatibility scores to let you know whether updating a dependency could cause breaking changes to your project. These are calculated from CI tests in other public repositories where the same security update has been generated. An update's compatibility score is the percentage of CI runs that passed when updating between specific versions of the dependency.😍<a href="https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-compatibility-scores" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates#about-compatibility-scores</a>Thanks to <a href="https://hachyderm.io/@richardTowers" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@richardTowers</a>! 🙌<a href="https://ruby.social/tags/github" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#github</a> <a href="https://ruby.social/tags/dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dependabot</a> <a href="https://ruby.social/tags/ruby" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ruby</a>

James :ruby:Before they got taken over by GitHub, Dependabot used to provide a dashboard for each package. This dashboard displayed how many successful & failing CI builds of dependent projects *using* the package there had been for each version of the package.This gave an admittedly imperfect, but nevertheless useful, indication of the quality of each package release.Does this still exist somewhere...?<a href="https://ruby.social/tags/ruby" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ruby</a> <a href="https://ruby.social/tags/dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dependabot</a> <a href="https://ruby.social/tags/github" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#github</a>

Olivier ForgetFYI <a href="https://social.tchncs.de/tags/Github" class="mention hashtag" rel="tag">#Github</a> <a href="https://social.tchncs.de/tags/Dependabot" class="mention hashtag" rel="tag">#Dependabot</a> flags that <a href="https://social.tchncs.de/tags/Go" class="mention hashtag" rel="tag">#Go</a> crypto <a href="https://social.tchncs.de/tags/vulnerability" class="mention hashtag" rel="tag">#vulnerability</a> in your project even if you aren't affected. It checks if you import the package, not if you actually use the affected functions. govulncheck does it correctly.Lucky for me that means I don't have to change anything in my project.Thanks to <a href="https://abyssdomain.expert/@filippo" class="u-url mention">@filippo</a>

Alvin Ashcraft 🐿️Using Dependabot to Manage .NET SDK Updates.<a href="https://buff.ly/3B5F6eD" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://buff.ly/3B5F6eD</a> <a href="https://hachyderm.io/tags/dotnet" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dotnet</a> <a href="https://hachyderm.io/tags/dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dependabot</a> <a href="https://hachyderm.io/tags/dependencies" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dependencies</a> <a href="https://hachyderm.io/tags/updates" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#updates</a>

postmodernIs there a way to configure dependabot to ignore other test fixture Gemfile.lock files that are stored in spec/? <a href="https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file</a><a href="https://ruby.social/tags/dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dependabot</a>

Anders EknertConfiguring <a href="https://hachyderm.io/tags/GitHub" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GitHub</a>'s <a href="https://hachyderm.io/tags/dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dependabot</a> to run at a scheduled interval, and to group all PR's into a single one... is such a massive time saver for anyone maintaining a large number of repos. Or even just a few npm repos, lol. Make sure to do that!<a href="https://gist.github.com/anderseknert/61525b108a4c3406a7a67d62edbeafe1" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://gist.github.com/anderseknert/61525b108a4c3406a7a67d62edbeafe1</a><a href="https://hachyderm.io/tags/OpenSource" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenSource</a> <a href="https://hachyderm.io/tags/Development" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Development</a>

Romain TartièreI am looking for help with <a href="https://mamot.fr/tags/github" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#github</a> and <a href="https://mamot.fr/tags/dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dependabot</a>.I am puzzled by how dependabot generate PRs for updates to dependencies of a <a href="https://mamot.fr/tags/ruby" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ruby</a> project.Take this PR which is supposed to update rubocop: it also bump json version. But rubocop does NOT depend on this new version of json so why is it part of the same PR?<a href="https://github.com/opus-codium/pakotoa/pull/233/files" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/opus-codium/pakotoa/pull/233/files</a>Is there some setting we can use to stop this insanity? The docs seems to scream that it does what I want it to do, but in reality I don't observe this.

Dennis DoomenBut here's an even better option: move your code to GitHub and take advantage of <a href="https://mastodon.social/tags/Dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Dependabot</a>. This feature automatically detects which packages need updates and creates pull requests to handle them. It even includes relevant release notes and information on the risk level of updates based on similar attempts from the community.

David Cantrell 🏏<a href="https://fosstodon.org/tags/Github" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Github</a> are idiots. Their <a href="https://fosstodon.org/tags/dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dependabot</a> has been moaning at me because some of my workflows use 'download-artifact@v4'. Apparently version 4.1.6 of that has some security oopsie, but by the time they notified me version 4.1.7 was out, and so my workflow should have been using that and there was nothing to fix. 1/4

Neil CraigIf you're seeing Dependabot PRs on Node projects named "Bump find-my-way and fastify" today and were not already on Fastify v5, be aware you'll need to update your Fastify config/usage (see <a href="https://fastify.dev/docs/latest/Guides/Migration-Guide-V5" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://fastify.dev/docs/latest/Guides/Migration-Guide-V5</a>).The `find-my-way` (indirect for me) update requires Fastify v5 apparently and that broke several projects which weren't on Fastify v5 yet. Luckily (well, intentionally, obv) the breakages were caught by CICD in dev.<a href="https://mastodon.social/tags/Node" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Node</a> <a href="https://mastodon.social/tags/Fastify" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Fastify</a> <a href="https://mastodon.social/tags/FindMyWay" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#FindMyWay</a> <a href="https://mastodon.social/tags/Dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Dependabot</a>

David Lord :python:I created a new tool, gha-update, to update GitHub Actions pins in workflows to the latest versions, using commit hashes and tag comments. I've wanted to move away from monthly Dependabot updates, 3 pages of notifications at the beginning of each month, many for low activity/stable projects, is way too noisy. <a href="https://github.com/davidism/gha-update" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/davidism/gha-update</a> <a href="https://mas.to/tags/Python" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Python</a> <a href="https://mas.to/tags/GitHub" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#GitHub</a> <a href="https://mas.to/tags/Dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Dependabot</a>

Robin OsborneI thought it might be FUN to finally get around to the <a href="https://hachyderm.io/tags/dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#dependabot</a> emails I've been getting for years, prompting me to update my public <a href="https://hachyderm.io/tags/github" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#github</a> repos, so I decided to write up the process.I'm on the *first repo*, 1500+ words and 20+ images in, and I haven't even got it building yet.Seem that <a href="https://hachyderm.io/tags/Azure" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Azure</a> has changed a bit in the decade+ since I wrote that repo. Maybe this isn't going to be as much fun as I hoped...<a href="https://hachyderm.io/tags/webdev" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#webdev</a> <a href="https://hachyderm.io/tags/coding" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#coding</a>

Foojay.ioDid you know? You can configure <a href="https://foojay.social/tags/Renovate" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Renovate</a> for every package manager you can think of. Even better, Renovate allows the contribution of new package managers, contrary to <a href="https://foojay.social/tags/Dependabot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Dependabot</a>. <a href="https://mastodon.top/@frankel" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@frankel</a> shares the details on Foojay :foojay: Today!<a href="https://foojay.io/today/renovate-for-everything/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://foojay.io/today/renovate-for-everything/</a><a href="https://foojay.social/tags/foojaytip" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#foojaytip</a>

Recent searches

Search options

Administered by:

Server stats:

#dependabot