[英]Can dependabot suggest patches for direct dependency?
Currently, dependabot suggests only the vulnerable package patch version(fix) but If I need to upgrade only the direct dependency which consumes the fix.目前,dependabot 仅建议易受攻击的软件包补丁版本(修复),但如果我只需要升级使用修复的直接依赖项。
No, Dependabot checks whether it's possible to upgrade the vulnerable dependency to a fixed version without disrupting the dependency graph for the repository.不,Dependabot 检查是否可以将易受攻击的依赖项升级到固定版本,而不会破坏存储库的依赖关系图。 Then Dependabot raises a pull request to update the dependency to the minimum version that includes the patch.
然后 Dependabot 提出一个拉取请求,将依赖项更新到包含补丁的最低版本。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.