Jamie Magee

I'm not sure if GPG is necessary here. Something like [sigstore][1] or [GitHub's new artifact attestations][2] might be a more lightweight option. [1]: https://www.sigstore.dev/ [2]: https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

@AbhinavAbhinav11 what the need for this detector have over the [`MvnCliComponentDetector`][1]? The only thing I can see is the ability to get a list of direct dependencies without invoking the...

Some additional context for .NET 8 Release Candidate's support, from the [.NET and .NET Core Support Policy][1] > Go-live releases are supported by Microsoft in production. These are typically our...

It's still possible to write custom detectors, but not to load them at runtime. We removed the runtime plugin functionality during our migration to .NET dependency injection in #412. If...

Hi folks 👋 I work on Dependabot, and it looks like I introduced this issue. It's due to the fact that we migrated the `requirements_update_strategy` from being a Ruby [`Symbol`][1]...

@waltervos I think you should pass `nil` for `auto`. If this is correct: https://github.com/dependabot/dependabot-core/blob/feb07451364eaeac790ee97f52619f8ebb2ca245/bin/dry-run.rb#L226

I think an event is the right level to encode this sort of information, and ecosystem information isn't important. But there may be the possibility that there are multiple upgrade...

It was great to meet up again @oliverchang 😄 I'll close this for now and followup with upstream (npm and NuGet to start with)

Thanks for the issue. This sounds like a similar issue to #261 and #262. Could you take a look and let me know what you think?

@dbartol before you go too deep on this, would the [`IOptionsSnapshot`][1] pattern work? [1]: https://learn.microsoft.com/en-us/dotnet/core/extensions/options#use-ioptionssnapshot-to-read-updated-data