I’m having trouble staying on top of updates for my self hosted applications and infrastructure. Not everything has auto updates baked in and some things you may not want to auto update. How do y’all handle this? How do you keep track of vulnerabilities? Are there e.g. feeds for specific applications I can subscribe to via RSS or email?

  • @just_another_person@lemmy.worldEnglish
    -121 days ago

    This is a bad idea for a number of reasons. Most obvious issue is that it doesn’t guarantee anything in the way of actually fixing vulnerabilities, because some project you use may not even be scanning their own work.

      • @just_another_person@lemmy.worldEnglish
        -121 days ago

        Yup. Really easy in most cases if you’re just upgrading a dependency version of something to the next minor release up, but then it has to pass all the project CI tests, and get an actual maintainer to tag it for release. That’s how open source works though.

        • Eager EagleEnglish
          321 days ago

          That may work for a handful of projects. It’d be my full time job if I did it for everything I run. Also, I might simply suggest maintainers to adopt dependabot or an alternative before I spend time with manual changes. These things should be automated.

          • @just_another_person@lemmy.worldEnglish
            -121 days ago

            Well a PR means an upstream fix for the project. If you want to scan all your local running things, by all means change whatever you want, but it will just be potentially wiped out by the tool you mentioned if running.

            • Eager EagleEnglish
              021 days ago

              dependabot is a tool for repos, not to apply local changes

              • @just_another_person@lemmy.worldEnglish
                -121 days ago

                I’m aware, but then you mentioned “manual changes”, which connotes “local changes”. Putting up a PR with changes isn’t considered a manual anything.

                • Eager EagleEnglish
                  121 days ago

                  “manual changes”, which connotes “local changes”

                  It doesn’t. Manual as in a PR with upgrades that you’re suggesting yourself, as opposed to running dependabot.

                  Putting up a PR with changes isn’t considered a manual anything.

                  If I have to open a PR myself, that’s very much a manual change.

                  • @just_another_person@lemmy.worldEnglish
                    -121 days ago

                    I don’t even know what you’re talking about now, so I’m going to stop responding. If Dependabot was already enabled for a project, you probably wouldn’t need to worry, so that negates this entire thread. 🙄