You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi! I'd like to suggest for go-cmp to enable a dependency update tool in order to keep CI dependencies up to date. It can also be enable to update dependencies in other ecosystems.
Having dependencies hash pinned and updated through a dep update tool is a good way to get vulnerabilities and bug fixes as soon as possible without blindly upgrading.
I'll be submiting a PR with a configuration for dependabot, but let me know if you rather renovatebot or other tool. Let me know what do you think about it.
Besides, I strongly recommend that you enable the Dependabot security updates option on Code security and analysis to receive out of schedule upgrades in case of a new security patch is released (avoiding being exposed for much time).
Disclosure: I'm from GOSST (Google Open Source Security Team) and I'm working on improving the supply security of many open source projects.
The text was updated successfully, but these errors were encountered:
Hi! I'd like to suggest for go-cmp to enable a dependency update tool in order to keep CI dependencies up to date. It can also be enable to update dependencies in other ecosystems.
Having dependencies hash pinned and updated through a dep update tool is a good way to get vulnerabilities and bug fixes as soon as possible without blindly upgrading.
I'll be submiting a PR with a configuration for dependabot, but let me know if you rather renovatebot or other tool. Let me know what do you think about it.
Besides, I strongly recommend that you enable the Dependabot security updates option on Code security and analysis to receive out of schedule upgrades in case of a new security patch is released (avoiding being exposed for much time).
Disclosure: I'm from GOSST (Google Open Source Security Team) and I'm working on improving the supply security of many open source projects.
The text was updated successfully, but these errors were encountered: