dependabot-core VS rife2

Oh yes, https://github.com/dependabot/dependabot-core/issues/3253. I wouldn't go so far as saying it was locked because it was too uncivil, mostly just because "additional commentary wasn't adding value" ;)

Your read on the situation is spot on, and no, it doesn't look like it's been "fixed" (mostly because "fixing it would re-introduce the same potential vulnerability).

Storybook is great and all, but these days nearly every Dependabot alert I get is about a sub-dependency of Storybook. Since Dependabot doesn't currently allow you to ignore dev dependencies and only check production dependencies [0], this makes Storybook a Big Noise Generator and every time I dismiss another alert from it, I can't help but wonder if there's a better option out there.

[0] https://github.com/dependabot/dependabot-core/issues/2521

P.S. While this being a powerful and handy tool itself, it is only a part of Dependabot’s capabilities. If you are interested, you’ll find more about them in the GitHub docs.

Hello! I'm using Helm in K8s and curious if there is a solution that could keep tabs on the deployed chart dependency versions and either alert us when something is out of date or when a new release is available. Does this exist? I was thinking something like Dependabot or Renovate, but neither seems to be able to manage this.

- https://github.com/dependabot/dependabot-core

An important point is that this kind of metadata often needs to be accessible from outside the build system itself. You need that for example in order to integration with renovate-bot or github's dependabot, to check your dependencies against CVEs, to build SBOMs and various other additional tasks that are not part of the build itself, but related to the build's metadata. This is all functionality I don't want to reimplement, I want to use what's already out there. And for that the build system needs to have some minimum amount of compatibility with existing standard metadata files like pom.xml or build.gradle

To avoid any potential data breaches, it is recommended that users upgrade to a patched version of MinIO (RELEASE.2023-03-20T20-16-18Z) and integrate security tooling such as docker-cli-scan or use Github’s built-in monitoring for supply chain vulnerabilities, which already contains a record referencing this vulnerability.

I recognize that it does not handle chart updates, but it's might still ease the burden of applying minor releases easily etc. For the chart versions themselves, unfortunately dependabot does not support this and will not, but something like renovatebot does. Could be worth looking into as a dual approach

Disclosure: Renovate author

Renovate is indeed AGPL, but if you're just running it as a CLI, do you think there's anything to "watch out for"? It does not make any project you run it against AGPL, that's for sure.

Also you should be aware that dependabot-core, which dependabot-gitlab wraps, is not technically Open Source at all: https://github.com/dependabot/dependabot-core/blob/main/LICE...

Waiting for Yarn v2/v3 support in Dependabot has been a saga.

https://github.com/dependabot/dependabot-core/issues/1297

It is possible, and I realize we've not written docs about it yes, we'll fix that soon. We're using two modules in RIFE2 and bld itself, one for the main build and one for the framework examples https://github.com/rife2/rife2/tree/main/src/bld/java/rife

There's more detail in the readme on GitHub:

https://github.com/gbevin/rife2

Including:

> RIFE2 has features that after 20 years still can't be found elsewhere: web continuations, bidirectional template engine, bean-centric metadata system, full-stack without dependencies, metadata-driven SQL builders, content management framework, full localization support, resource abstraction, persisted cron-like scheduler, continuations-based workflow engine.

Doesn't appear to have websocket support, though.

I'm very excited to see what web projects, both big and small, can be accomplished with such a self-contained framework like RIFE2. And we've only scratched the surface! There's a built-in template system, Continuations, and much more. Definitely read the docs if you want to dig deeper into this framework. Also, be sure to thank the framework author, Geert Bevin, for the amount of effort he has put into this!

The validation and meta-data however doesn't require the model to extend a class, there's the possibility to use meta-data merging to have a sibling class that implements the RIFE2 specific logic, which will be merged at runtime through bytecode instrumentation: https://github.com/gbevin/rife2/wiki/Metadata-Merging

RIFE2 does support arbitrary parameters, in various ways. The manual way is when generating a URL with urlFor, you can add parameters to it c.urlFor(route).param(key, value).param(key, value). You can also annotated Element class fields with @Parameter which will have RIFE2 automatically inject the incoming value, there's an additional annotation attribute that can be set to specific the flow of the data: in, out or inout. When you generate a URL with c.urlFor(route), RIFE2 will look at the element currently in your context, the element targeted by your route and any out parameters that have corresponding in parameter names on the target, will be automatically added to the generated URL with the value they currently hold. Some of that is documented here, but it could definitely use some more love: https://github.com/gbevin/rife2/wiki/Field-Annotations

Java seems to have gained a second wind in recent years, and the innovation in this ecosystem is speeding up. Java 20 and LTS release 21 are expected to happen this year. RIFE2, an actively-developed pure-Java web framework, has recently caught my attention. Like Javalin, it appears to be built on top of the successful Jetty server. I also started exploring FXGL for building games with Java. Lastly, as concerns over COVID-19 variants wane I expect an increase in Java developers participating in community events. For example, Chicago finally had its first in-person JConf event and the Chicago Java User Group (CJUG) is easing back into in-person events.

There's a step-by-step readme to get a quick glance at the feel and the approach: https://github.com/gbevin/rife2/blob/main/README.md, a series of concise examples https://github.com/gbevin/rife2/tree/main/app/src/main/java/rife and a growing full manual: https://github.com/gbevin/rife2/wiki