I agree that we should be trying to stay on the most recent version of our dependencies (with a few exceptions, such as JavaCC). Most of our dependencies are mature libraries, and the latest version is more likely to fix security problems than to introduce bugs.
However, I'm not sure that Dependabot is the best way to do it. One, dependabot generates quite a lot of noise (frequent upgrades). Two, we would have to restructure our build files. The best process is probably to do manual upgrades, like https://github.com/apache/calcite/pull/3504, just before each release. Is there a straightforward way to script those upgrades? Julian On Sun, Nov 5, 2023 at 1:09 AM Jiajun Xie <[email protected]> wrote: > > Hi, Hongyu. > > Your idea is great and you also introduced the steps to use it. > > We need more feedback about benefits and risks from calcite users. > # What are the benefits? > - Quickly fix dependency vulnerabilities. > - Balancing the workload of each upgrade(Not 4.0 to 7.x). > - ... > > # What are the risks? > - The latest version may be unstable. > - The burden of upgrading Calcite for users has increased. > - ... > > For me, the risks are acceptable. > I am willing to help you complete this work. > > On Sat, 4 Nov 2023 at 21:04, Hongyu Guo <[email protected]> wrote: > > > Hi all, > > > > Recently, I opened 2 PRs about removing an unused library[1] and bumping > > various libraries[2]. I noticed that many dependencies of calcite are > > outdated. To address this issue, I suggest enabling dependabot[3] to > > automatically open "bump dependency" PRs and make calcite healthier. > > > > If we enable dependabot, what should we do? > > > > - Add `dependabot.yml` to `.github/`. It is straightforward, just follow > > the instructions in the documentation[4]. > > - Refactor gradle project files: Dependabot's support for gradle is not > > sufficient as it only reads the text of `build.gradle.kts`, `build.gradle`, > > and `settings.gradle.kts` instead of running gradle. Additionally, > > dependabot can NOT read `gradle.properties`, so we need to refactor the > > gradle project files. > > - Ignore some dependencies: Some dependencies cannot be upgraded. For > > example, I attempted to bump javacc from 4.0 to 7.x, but due to > > incompatibility caused by the large version span, I had to give up. Also, > > we cannot upgrade elasticsearch due to licensing restrictions. > > > > What is your opinion on dependabot? > > > > [1]https://github.com/apache/calcite/pull/3502 > > [2]https://github.com/apache/calcite/pull/3504 > > [3] > > > > https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates > > [4] > > > > https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#gradle > > > > Best, > > Hongyu > >
