Why would we not merge those PRs or even disable the whole thing ?
On Fri, Oct 11, 2019 at 12:09 AM Francis Chuang <francischu...@apache.org> wrote: > Dependabot is a bot on Github that opens PRs to automatically upgrade > out of date dependencies to fix security issues. Recently, Github > acquired dependabot and is gradually enabling the bot on all repositories. > > It just opened a PR to upgrade a few dependencies in the Avatica > repository: https://github.com/apache/calcite-avatica/pull/114 > > I'd like to start some discussion as to how we should deal with these > PRs. For some background, dependency upgrades should usually have a jira > issue number assigned, so that the change is fully trackable. We > recently had some discussion regarding trivial fixes to documentation > and the consensus was that changes to the code is not considered to be > trivial and that an issue should be filed on jira. > > If we will not merge these PRs, I think it makes sense to ask infra to > disable them. Having these open PRs and then closing them manually seem > to generate a lot of noise. According to the documentation for > dependabot [1] it appears that we can either opt out of having > dependabot opening PRs completely or have it open PRs. There is no > middle-ground where dependabot/Github sends members of the repo a > notification for security issues, but do not open any PRs. > > What do you guys think? > > Francis > > [1] > https://help.github.com/en/articles/configuring-automated-security-fixes >
