I agree that PRs should not be committed immediately and unconditionally when the dependabot finds them. But if we defer, there is a concern that good PRs will be forgotten. How about making a particular person (say the release manager) or triggering event (say voting on an RC) responsible for checking all applicable PRs have been applied?
> On Jun 8, 2021, at 6:58 AM, Gian Merlino <g...@apache.org> wrote: > > Here's a running list of PRs opened by the dependabot: > https://github.com/apache/druid/pulls?q=is%3Apr+author%3Aapp%2Fdependabot > > On Mon, Jun 7, 2021 at 12:22 PM Gian Merlino <g...@apache.org> wrote: > >> There's been some extra discussion this PR: >> https://github.com/apache/druid/pull/11079 >> >> I just +1'ed it, but I wanted to come back here to say that IMO, we should >> avoid getting in the habit of blindly applying these updates without >> testing. There's been lots of situations in the past where a >> harmless-looking dependency upgrade broke something. Sometimes the new >> dependency version had a regression in it, and sometimes even without >> regressions it can introduce compatibility problems. >> >> So, I think it'd be good to apply the updates when we're confident in our >> ability to test them, and add ignores (or tests!) for the rest. >> >> On Thu, Apr 8, 2021 at 12:35 PM Xavier Léauté <xav...@confluent.io.invalid> >> wrote: >> >>> Thanks Maytas, I asked in that thread. They seemed concerned about write >>> access requested by dependabot, >>> but that should no longer be required as far as I can tell, now that it is >>> natively integrated into GitHub. >>> It should only be a matter of adding the config file to the repo, similar >>> to what we do to automate closing stale issues / PR. >>> >>> On Tue, Apr 6, 2021 at 2:50 PM Maytas Monsereenusorn <mayt...@apache.org> >>> wrote: >>> >>>> I remember seeing someone asked about Dependabot in asfinfra slack >>> channel >>>> a few weeks ago. However, asfinfra said they cannot allow it. >>>> Here is the link: >>>> https://the-asf.slack.com/archives/CBX4TSBQ8/p1616539376210800 >>>> I think this is the same as Github's dependabot. >>>> >>>> Best Regards, >>>> Maytas >>>> >>>> >>>> On Tue, Apr 6, 2021 at 2:37 PM Xavier Léauté <x...@apache.org> wrote: >>>> >>>>> Hi folks, as you know Druid has a lot of dependencies, and keeping up >>>> with >>>>> the latest versions of everything, whether it relates to fixing CVEs >>> or >>>>> other improvements is a lot of manual work. >>>>> >>>>> I suggest we enable Github's dependabot in our repository to keep our >>>>> dependencies up to date. The bot is also helpful in providing a short >>>>> commit log summary to understand changes. >>>>> This might yield a flurry of PRs initially, but we can configure it to >>>>> exclude libraries or version ranges that we know are unsafe for us to >>>>> upgrade to. >>>>> >>>>> It looks like some other ASF repos have this enabled already (see >>>>> https://github.com/apache/commons-imaging/pull/126), so hopefully >>> this >>>>> only >>>>> requires filing an INFRA ticket. >>>>> >>>>> Happy to take care of it if folks are on board. >>>>> >>>>> Thanks! >>>>> Xavier >>>>> >>>> >>> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org For additional commands, e-mail: dev-h...@druid.apache.org
