use dependabot

[jukzi]

Is it possible to use dependabot or some tool alike to monitor the used libraries?
I manually stumbled across a vulnerable library in orbit which already has a fixed version.

[jonahgraham]

This repo is mostly legacy now - @merks is migrating to newer orbit-simrel under the a funded development effort of the Eclipse IDE WG - the first goal of which is:

Migrate all recipes to use maven target locations; the assumption is that this is 100% feasible. This would allow Orbit to drop support for EBR.

There is tooling (dependabot like) that understands maven target locations in target files that I think resolves this.

In the meantime it is the responsibility of projects consuming EBR based Orbit delivered projects to ensure they aren't using vulnerable versions.

[jukzi]

is there an instruction somewhere how to update a library?

[merks]

Not yet. There are some readmes already:

https://github.com/eclipse-orbit/orbit-simrel#readme

And there is an Oomph setup...

I just run this in the IDE and commit changes that the analyzer find:

Is there something specifically you are looking to update right now?

[merks]

Here's an example from running the tools just now:

eclipse-orbit/orbit-simrel@a065abb

The Platform's report is updated with the minor updates available for its target platform:

https://github.com/eclipse-orbit/orbit-simrel/blob/main/report/maven-osgi/platform/REPORT.md

So when I'm not tied up trying to remove ancient things form the Platform's target platform, I will update it to the latest:

eclipse-platform/eclipse.platform.releng.aggregator#1251