Hi Eric, > https://github.com/apache/iotdb/pull/4123 Yes, this is not a good practise... BTW, I found that the dependency is useless now, we can remove it.
> https://github.com/apache/iotdb/pull/4140 We have already closed the PR. > Or maybe we can decrease the frequency of updating, i.e. from daliy to > monthly? I think it can give us some time to judge which one should be > updated or not. Sure, I think weekly or monthly are ok. Maybe we can also set the `update-types` (according to [1]) in the dependabot config file to keep the major version unchanged. Welcome to create a new PR for the settings, Eric ;D [1] https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#specifying-dependencies-and-versions-to-ignore Steve Su Tsinghua University ------------------ Original ------------------ From: "dev" <[email protected]>; Date: Wed, Oct 13, 2021 01:43 PM To: "dev"<[email protected]>; Subject: Re: Is it safe to use depedabot to update the dependency libs Now I have found some merged pull requests which changes the major version of dependencies, it's not a good practise to maintain our codes. https://github.com/apache/iotdb/pull/4123 https://github.com/apache/iotdb/pull/4140 Or maybe we can decrease the frequency of updating, i.e. from daliy to monthly? I think it can give us some time to judge which one should be updated or not. On 2021/10/13 03:48:08, "Steve Su" <[email protected]> wrote: > Hi Eric, > > We enable the dependabot only to solve the problem that developers cannot > discover and fix CVE vulnerabilities in time. > > At first, we wanted to enable dependabot through [1], so that we can only > update the dependencies related to security vulnerability fixes. But for the > Apache repos, we can??t set the dependabot through [1] (or maybe we can apply > to the Infra), so we finally enabled the dependabot through [2]. > > Of course, the shortcomings of enabling the dependabot through [2] are > obvious: we are using the version-update strategy and we don??t know whether > the update is related to a CVE vulnerability fix. > > > It's not wise to use latest version in a production system always, > > especially a database. I think stable is important than latest. > > I do agree with you. Stability is more important. > > > Can we leave the decision of when, why and whether to update the dependency > > to our developers, not a bot? What do you think? > > The dependabot is only responsible for submitting a PR when a new release is > found, whether the PR needs to be merged is up to our developers. > > Perhaps we should discuss when our developers should merge these PRs. For me, > the following two types of PRs from the dependabot are acceptable: > 1. Confirmed to be related to CVE vulnerability fixes > 2. Minor version upgrades, such as 1.0.0 to 1.0.2 > > Thanks, > > Steve Su > Tsinghua University > > [1] > https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates > [2] https://github.com/apache/iotdb/pull/4097 > > ------------------ Original ------------------ > From: "dev" <[email protected]>; > Date: Wed, Oct 13, 2021 10:50 AM > To: "[email protected]"<[email protected]>; > Subject: Is it safe to use depedabot to update the dependency libs > > Hi, all, > > I saw this JIRA https://issues.apache.org/jira/browse/IOTDB-1818 had been > finished without any discussions. But I still have some questions about the > daily dependency update mechanism. > > According to the introduction > https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates, > the update of any dependency happens when > > 1. Security updates: The current version is vulnerable. > > 2. Version updates: A new version has been released, no matter whether it's > vulnerable or not. > > Which update strategy do we use now? From the day the issue closed to now I > have seen so many dependencies have been updated, which are not all security > issues. So I guess we use version updates strategy. > > However, we can't trust any latest version of every dependency unless we have > proved that it's stable and safe. For example, if a dependency released a new > version 1.2.0, which has a former version 1.1.x, but 1.2.0 has broken the > backward compatibility, our build may be broken. We should know that the > semantic version is just an agreement, not a constriction. The bot can't > guarantee this mess will not happen. What was worse, if the new version has > some internal bugs, and the owner of the dependency can't give a fix release > in time, we should spend more works to fix the issues, or downgrade to a > stable one. It's not wise to use latest version in a production system > always, especially a database. I think stable is important than latest. > > Can we leave the decision of when, why and whether to update the dependency > to our developers, not a bot? What do you think? > > Thanks.
