You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This morning I encountered a situation where a package update was received that had no release notes:
At the time of writing, there is no tag in the package's GitHub repository that corresponds to the v5.1.0 release. The package diff looks legitimate, so I think this is a case where the maintainer simply forgot to push a tag.
It would be helpful if this tool could flag such suspicious updates and require additional confirmation before merging.
Some ideas of things to look out for:
Empty release notes in diff (where empty includes notes that only contain Dependabot's standard boilerplate)
Maintainer change (this info is present in some Dependabot PRs, but not currently highlighted in this tool's CLI output)
Missing GitHub release or tag for package
The text was updated successfully, but these errors were encountered:
This morning I encountered a situation where a package update was received that had no release notes:
At the time of writing, there is no tag in the package's GitHub repository that corresponds to the v5.1.0 release. The package diff looks legitimate, so I think this is a case where the maintainer simply forgot to push a tag.
It would be helpful if this tool could flag such suspicious updates and require additional confirmation before merging.
Some ideas of things to look out for:
The text was updated successfully, but these errors were encountered: