dependabot-core VS Feedbin

Oh yes, https://github.com/dependabot/dependabot-core/issues/3253. I wouldn't go so far as saying it was locked because it was too uncivil, mostly just because "additional commentary wasn't adding value" ;)

Your read on the situation is spot on, and no, it doesn't look like it's been "fixed" (mostly because "fixing it would re-introduce the same potential vulnerability).

Storybook is great and all, but these days nearly every Dependabot alert I get is about a sub-dependency of Storybook. Since Dependabot doesn't currently allow you to ignore dev dependencies and only check production dependencies [0], this makes Storybook a Big Noise Generator and every time I dismiss another alert from it, I can't help but wonder if there's a better option out there.

[0] https://github.com/dependabot/dependabot-core/issues/2521

P.S. While this being a powerful and handy tool itself, it is only a part of Dependabot’s capabilities. If you are interested, you’ll find more about them in the GitHub docs.

Hello! I'm using Helm in K8s and curious if there is a solution that could keep tabs on the deployed chart dependency versions and either alert us when something is out of date or when a new release is available. Does this exist? I was thinking something like Dependabot or Renovate, but neither seems to be able to manage this.

- https://github.com/dependabot/dependabot-core

An important point is that this kind of metadata often needs to be accessible from outside the build system itself. You need that for example in order to integration with renovate-bot or github's dependabot, to check your dependencies against CVEs, to build SBOMs and various other additional tasks that are not part of the build itself, but related to the build's metadata. This is all functionality I don't want to reimplement, I want to use what's already out there. And for that the build system needs to have some minimum amount of compatibility with existing standard metadata files like pom.xml or build.gradle

To avoid any potential data breaches, it is recommended that users upgrade to a patched version of MinIO (RELEASE.2023-03-20T20-16-18Z) and integrate security tooling such as docker-cli-scan or use Github’s built-in monitoring for supply chain vulnerabilities, which already contains a record referencing this vulnerability.

I recognize that it does not handle chart updates, but it's might still ease the burden of applying minor releases easily etc. For the chart versions themselves, unfortunately dependabot does not support this and will not, but something like renovatebot does. Could be worth looking into as a dual approach

Disclosure: Renovate author

Renovate is indeed AGPL, but if you're just running it as a CLI, do you think there's anything to "watch out for"? It does not make any project you run it against AGPL, that's for sure.

Also you should be aware that dependabot-core, which dependabot-gitlab wraps, is not technically Open Source at all: https://github.com/dependabot/dependabot-core/blob/main/LICE...

Waiting for Yarn v2/v3 support in Dependabot has been a saga.

https://github.com/dependabot/dependabot-core/issues/1297

It would work the same for me, if only because I'd redirect the email to my RSS reader (via Feedbin[0] or Kill the Newsletter[1] or similar)! I suspect most people who care about RSS would do the same, but the Webflow docs[2] show it being pretty straightforward to set up, and (imo) it's an easy backup hedge against all your comms getting stuck in spam filters. Plus, it just feels more ADHD-friendly to me to reduce ping noise as much as possible.

[0] https://feedbin.com/

[1] https://kill-the-newsletter.com/

[2] https://university.webflow.com/lesson/rss-feed

I use Feedbin to read them. Because of their open nature nobody can tell the sole developer there “people can only read feeds using our app, and you can go pound sand”.

Comes to my mind one that I bumped into a while ago: Feedbin, although I haven't tried it. It's web based and it costs $5/month but it has a 30 day trial period. It works also through third party apps on Android and iOS (well, the latter seems to have a dedicated one by themselves).

There’s a RSS feed which you can use with something like feedbin.com

Links and Show Notes:More Power Users: Ad-free episodes with regular bonus segmentsSubmit FeedbackApple Releases iOS and iPadOS 16.4 with New Emoji, Notifications for Web Apps on the Home Screen, Voice Isolation for Cellular Calls, New Shortcuts Actions, and More - MacStoriesReadwiseKindle ScribeAmazon.com: How to Calm Your Mind by Chris BaileyMac Power Users #550: The World of RSS - Relay FMReadwise ReaderReeder 5FeedbinSubscribe to Email Newsletters in FeedbinGoodLinksThe Disney Bundle: Stream Disney+, Hulu, and ESPN+YouTube TVJustWatch AppCuriosity StreamYouTube PremiumCGP Grey - YouTubeHands-On With Apple's New Classical Music App - MacRumorsOvercastLibbyThree Thoughts Spurred by a Random iOS 5 Screenshot – 512 PixelsStephen Hackett (@[email protected]) - eworld.socialMacSparky (@[email protected]) - MastodonSofa: Downtime Organizer

I can recommend https://feedbin.com/ as a great replacement. It's $50 a year, but in return you get a service that is rock solid with an owner who is luckily very good in >> not << implementing features: no feature creep, no breaking changes, no BS.

I enjoy using Feedbin, as it's not only my own newsfeed for blogs, but it also supports Twitter too. The interface has a clean, thoughtful design which is really important for me.

I no longer self host it, but there is a community contributed Docker Compose stack for Feedbin.