[jira] [Commented] (AVRO-2981) Avrogen: Bump dependency versions

Wed, 03 Mar 2021 07:46:12 -0800 


    [ 
https://issues.apache.org/jira/browse/AVRO-2981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17294605#comment-17294605
 ] 

Ryan Skraba commented on AVRO-2981:
-----------------------------------

I see this is marked for 1.10.2 (and that I was the one that added the fix 
version!)  I just wanted to confirm two things!

Are there bumps to be applied for Avrogen for 1.10.2 or should I drop that fix 
version until 1.11.0

I see that dependabot bumps for these two packages were actually applied 
([here|https://github.com/apache/avro/commit/b90278af3446fe82b061c08076d61b7d1ecaa445]
 and 
[here|https://github.com/apache/avro/commit/1f746d4941ae80216295ce112b84353043be5395]):
{code:xml}
 <PackageReference Include="System.Reflection.Emit.ILGeneration" 
Version="4.7.0" />
 <PackageReference Include="System.Reflection.Emit.Lightweight" Version="4.7.0" 
/>
{code}

(They used to be 4.3.0)  Should I avoid cherry-picking them for 1.10.2?
 

> Avrogen: Bump dependency versions
> ---------------------------------
>
>                 Key: AVRO-2981
>                 URL: https://issues.apache.org/jira/browse/AVRO-2981
>             Project: Apache Avro
>          Issue Type: Improvement
>          Components: csharp
>            Reporter: Brian Lachniet
>            Assignee: Brian Lachniet
>            Priority: Major
>             Fix For: 1.11.0, 1.10.2
>
>
> As described in [this 
> comment|https://github.com/apache/avro/pull/981#discussion_r525692847], we 
> prefer not to bump the dependency versions in libraries.
> {quote}By updating the versions in our libraries, we require users of the 
> library to update to a version equal to or greater than the version we 
> reference. For example, if a user were to reference an older version of 
> Newtonsoft.Json, the would be forced to update to a newer version before they 
> could use a new version of the Avro library.
> In short, we should only update the version of the dependencies in our 
> libraries if we absolutely must for functionality that we require. We leave 
> it up to the users of the library as to whether or not they want the latest 
> and greatest of a particularly dependency. We're only going to require the 
> bare minimum.{quote}
> That said, we should still reference newer versions of dependencies in any 
> executables we ship so that the exe has the latest security updates. At this 
> time, Avrogen is the only exe we ship.
> As part of this issue, we should:
> * Update Avrogen dependencies
> * Document are dependency update strategy for exe vs library in the 
> {{lang/cshpar/README.md}}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to