undefined | Better HN

0 pointscolejohnson663y ago0 comments

> I feel the same way about those bots that tell you about insignificant security vulnerabilities in some project you abandoned. It's basically spam.

If you "archive" your repos, dependabot and friends won’t bother you.

Or, you could just disable security alerts in your repo's settings.

0 comments

oefrha3y ago

Dependabot isn’t the only source of vulnerability fatigue, there are plenty of “researchers” who would spam your active projects about pointless “vulnerabilities”. For instance, I recently got one about a parsing issue in gmp from a human user, who probably found it by scanning PyPI. I’m not touching anything adjacent to the supposedly vulnerable codepath, and the fix isn’t even in a gmp release, meaning I would have to carry a patch if I were to “fix” it. I still responded amicably, but I was not happy.

colejohnson66OP3y ago

There’s not really anything that can be done about that, yet, unfortunately. But if you’re not committing to the repo anymore, archiving it is an option. It’ll disable the issue tracker and pull request features. And if you change your mind, you can unarchive it.

j / k navigate · click thread line to collapse