Make sure the maintainer guidelines are updated with the need to act on Dependabot updates/alerts

[e-backmark-ericsson]

Description

The maintainers guidelines need to be updated to state the need to act on Dependabot updates & alerts. The most relevant document to update is probably this: https://github.com/eiffel-community/community/blob/master/GOVERNANCE.md#maintainers

This was discussed on a TC meeting in Nov 2022

Dependabot PRs

Also, announce the new Dependabot policy on the Eiffel Community maillist

Repositories that are de facto inactive and don’t update their dependencies should be considered for demotion to dormant.

Motivation

We need clear directives towards the maintainers of the Eiffel Community repos on how to handle Dependabot alerts

Exemplification

Info easily found from this point: https://github.com/eiffel-community/community/blob/master/GOVERNANCE.md#maintainers

Benefits

Faster and more controlled updates of vulnerabilities

Possible Drawbacks

Additional effort needed from maintainers, but given the current uncertainty on how to handle the dependabot issues/PRs the gain is probably higher

[magnusbaeck]

Amend the following paragraph to state that each maintainer must configure each repo to watch security alerts. Otherwise we believe no notification will be sent, even if security alerts are enabled for the repo.

A good default for security and vulnerability scanning is to have Dependabot Alerts, Dependabot Security Updates and Secret Scanning enabled. All these settings can be found under Settings -> Code and Security Analysis