use dependabot #55
Comments
|
This repo is mostly legacy now - @merks is migrating to newer orbit-simrel under the a funded development effort of the Eclipse IDE WG - the first goal of which is:
There is tooling (dependabot like) that understands maven target locations in target files that I think resolves this. In the meantime it is the responsibility of projects consuming EBR based Orbit delivered projects to ensure they aren't using vulnerable versions. |
|
is there an instruction somewhere how to update a library? |
|
Not yet. There are some readmes already: https://github.com/eclipse-orbit/orbit-simrel#readme And there is an Oomph setup... I just run this in the IDE and commit changes that the analyzer find:
Is there something specifically you are looking to update right now? |
|
Here's an example from running the tools just now: eclipse-orbit/orbit-simrel@a065abb The Platform's report is updated with the minor updates available for its target platform: https://github.com/eclipse-orbit/orbit-simrel/blob/main/report/maven-osgi/platform/REPORT.md So when I'm not tied up trying to remove ancient things form the Platform's target platform, I will update it to the latest: |
Is it possible to use dependabot or some tool alike to monitor the used libraries?
I manually stumbled across a vulnerable library in orbit which already has a fixed version.
The text was updated successfully, but these errors were encountered: