Re: [all] stopping dependabot and security analyses on dormant components
The dependabot check is once a week on Friday which is, IMO, just right. Gary On Wed, Oct 4, 2023, 7:18 PM Phil Steitz wrote: > On Tue, Oct 3, 2023 at 1:42 PM Emmanuel Bourg wrote: > > > > Le 03/10/2023 à 20:18, Bruno Kinoshita a écrit : > > > Same for me, I prefer to know ahead of time if there are any issues > with > > > dependencies. > > > > But the Commons components are mostly dependency-less, we are flooded by > > dependabot requests to update non code related dependencies (Maven > > plugins, GitHub actions) for non critical purposes. It would be better > > to have such notifications for CVEs only. > > I also hate the noise, but I share the pay-as-you-go mentality that > Gary and Bruno express. Shoving too many updates in the runup to the > release can make things harder and cause things to be missed. I was > bitten badly some years back by a plugin update that caused release > jars to be borked. I would have more likely caught it if the update > had happened sooner. I think sebb's suggestion of decreasing check > frequency is practical. > > Phil > > > > Emmanuel Bourg > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
Re: [all] stopping dependabot and security analyses on dormant components
On Tue, Oct 3, 2023 at 1:42 PM Emmanuel Bourg wrote: > > Le 03/10/2023 à 20:18, Bruno Kinoshita a écrit : > > Same for me, I prefer to know ahead of time if there are any issues with > > dependencies. > > But the Commons components are mostly dependency-less, we are flooded by > dependabot requests to update non code related dependencies (Maven > plugins, GitHub actions) for non critical purposes. It would be better > to have such notifications for CVEs only. I also hate the noise, but I share the pay-as-you-go mentality that Gary and Bruno express. Shoving too many updates in the runup to the release can make things harder and cause things to be missed. I was bitten badly some years back by a plugin update that caused release jars to be borked. I would have more likely caught it if the update had happened sooner. I think sebb's suggestion of decreasing check frequency is practical. Phil > > Emmanuel Bourg > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [all] stopping dependabot and security analyses on dormant components
Le 03/10/2023 à 20:18, Bruno Kinoshita a écrit : Same for me, I prefer to know ahead of time if there are any issues with dependencies. But the Commons components are mostly dependency-less, we are flooded by dependabot requests to update non code related dependencies (Maven plugins, GitHub actions) for non critical purposes. It would be better to have such notifications for CVEs only. Emmanuel Bourg - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [all] stopping dependabot and security analyses on dormant components
Same for me, I prefer to know ahead of time if there are any issues with dependencies. On Tue, 3 Oct 2023, 19:23 Gary Gregory, wrote: > Getting rid of this is good for dormant components ONLY IMO. > > It is definitely not a release time task for me. As an RM, I certainly > don't want to spend time doing this at release time. I want to update > dependencies as they become available to let them become part of the code > base where I can check and validate stability over time as I keep > developing and maintaining. I want to know as soon as possible if something > goes wrong, not at release time when *all i want to do* is release. > > Gary > > > > On Tue, Oct 3, 2023, 10:47 AM Emmanuel Bourg wrote: > > > Le 01/10/2023 à 14:09, sebb a écrit : > > > As the subject says: how does one stop dependabot and other analyses > > > from running on dormant components? > > > > +1 > > > > And even on all components, updating the dependencies is a release time > > task. Updating 3 times the same Maven plugins between releases is a > > waste of time. > > > > Emmanuel Bourg > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > >
Re: [all] stopping dependabot and security analyses on dormant components
You could try archiving the projects. That way all jobs are disabled, including dependabot. You can't push anymore, but unarchiving is just as easy as archiving. Rob On 03/10/2023 19:22, Gary Gregory wrote: Getting rid of this is good for dormant components ONLY IMO. It is definitely not a release time task for me. As an RM, I certainly don't want to spend time doing this at release time. I want to update dependencies as they become available to let them become part of the code base where I can check and validate stability over time as I keep developing and maintaining. I want to know as soon as possible if something goes wrong, not at release time when *all i want to do* is release. Gary On Tue, Oct 3, 2023, 10:47 AM Emmanuel Bourg wrote: Le 01/10/2023 à 14:09, sebb a écrit : As the subject says: how does one stop dependabot and other analyses from running on dormant components? +1 And even on all components, updating the dependencies is a release time task. Updating 3 times the same Maven plugins between releases is a waste of time. Emmanuel Bourg - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [all] stopping dependabot and security analyses on dormant components
Getting rid of this is good for dormant components ONLY IMO. It is definitely not a release time task for me. As an RM, I certainly don't want to spend time doing this at release time. I want to update dependencies as they become available to let them become part of the code base where I can check and validate stability over time as I keep developing and maintaining. I want to know as soon as possible if something goes wrong, not at release time when *all i want to do* is release. Gary On Tue, Oct 3, 2023, 10:47 AM Emmanuel Bourg wrote: > Le 01/10/2023 à 14:09, sebb a écrit : > > As the subject says: how does one stop dependabot and other analyses > > from running on dormant components? > > +1 > > And even on all components, updating the dependencies is a release time > task. Updating 3 times the same Maven plugins between releases is a > waste of time. > > Emmanuel Bourg > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
Re: [all] stopping dependabot and security analyses on dormant components
On Tue, 3 Oct 2023 at 15:47, Emmanuel Bourg wrote: > > Le 01/10/2023 à 14:09, sebb a écrit : > > As the subject says: how does one stop dependabot and other analyses > > from running on dormant components? > > +1 > > And even on all components, updating the dependencies is a release time > task. Updating 3 times the same Maven plugins between releases is a > waste of time. +1000 Unfortunately it does not appear to be possible to trigger Dependabot checks manually. However, it is possible to reduce the frequency to monthly, which might reduce the churn somewhat. An alternative might be to disable the checks (e.g. by renaming the file), and re-enable with a suitable check date shortly before a release. > Emmanuel Bourg > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [all] stopping dependabot and security analyses on dormant components
Le 01/10/2023 à 14:09, sebb a écrit : As the subject says: how does one stop dependabot and other analyses from running on dormant components? +1 And even on all components, updating the dependencies is a release time task. Updating 3 times the same Maven plugins between releases is a waste of time. Emmanuel Bourg - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [all] stopping dependabot and security analyses on dormant components
That has already been done for functor (some time ago), but the checks are still shown as enabled: https://github.com/apache/commons-functor/security On Sun, 1 Oct 2023 at 13:12, Gary Gregory wrote: > > Edit the files in the .github folder (or remove them). > > Gary > > On Sun, Oct 1, 2023 at 8:09 AM sebb wrote: > > > > As the subject says: how does one stop dependabot and other analyses > > from running on dormant components? > > > > Sebb > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [all] stopping dependabot and security analyses on dormant components
Edit the files in the .github folder (or remove them). Gary On Sun, Oct 1, 2023 at 8:09 AM sebb wrote: > > As the subject says: how does one stop dependabot and other analyses > from running on dormant components? > > Sebb > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
[all] stopping dependabot and security analyses on dormant components
As the subject says: how does one stop dependabot and other analyses from running on dormant components? Sebb - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org