google
dependabot: autoapprove and merge dependabot PRs
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Comparison is base (
77b23aa) 62.7% compared to head (168ff7b) 62.7%. Report is 14 commits behind head on master.
Additional details and impacted files
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
I think it's better to keep manual control over the code we're bringing in to our repository.
We can split dependencies in two groups:
Could be autoapproved:
cloud.google.com/go/logging v1.8.1
cloud.google.com/go/profiler v0.4.0
cloud.google.com/go/pubsub v1.33.0
cloud.google.com/go/secretmanager v1.11.4
cloud.google.com/go/storage v1.35.1
github.com/dvyukov/go-fuzz v0.0.0-20220726122315-1d375ef9f9f6
github.com/google/go-cmp v0.6.0
golang.org/x/net v0.19.0
golang.org/x/oauth2 v0.15.0
golang.org/x/perf v0.0.0-20230221235046-aebcfb61e84c
golang.org/x/sync v0.5.0
golang.org/x/sys v0.15.0
golang.org/x/tools v0.14.0
google.golang.org/api v0.153.0
google.golang.org/appengine/v2 v2.0.5
google.golang.org/genproto v0.0.0-20231106174013-bbf56f31fb17
Can be updated manually. But to be honest nobody will review this code:
github.com/gorilla/handlers v1.5.2
github.com/golangci/golangci-lint v1.55.2
github.com/ianlancetaylor/demangle v0.0.0-20230524184225-eabc099b10ab
github.com/prometheus/client_golang v1.17.0
github.com/stretchr/testify v1.8.4
github.com/ulikunitz/xz v0.5.11
gopkg.in/yaml.v3 v3.0.1
What is better? To eventually get some CVE or the supply chain attack? :)
But de-facto we don't review that code.
Of course we won't do deep reviews, but when I was looking at those PRs, I used to at least skim through the code just to check that there was nothing out of place.