OK - I think it is tamed for now!

A lot of updates, nothing serious showing up. The build became unstable due to trying to do too much in one go but should now be green - it is at TravisCI.

    Andy

== Process

dependabot is administered by the file

<root>/.github/dependabot.yml

Currently, set to run monthly.

There is no other setting for on/off; if it is there, dependabot runs

This is not all good; it runs for clones of the repo but they don't any tidy and suppression of unwanted updates.

The "schedule" is required otherwise it could be manual and run from GH UI via "Insights" -> "Dependency Graph" -> "Dependabot".

== This cycle

There are a couple for major upgrades highlighted:

* Lucene 7 -> 8
* org.osgi.core 5.0.0 -> 6.0.0

(nothing done about them)

Too near to a release for org.osgi.core and Lucene 7->8 is a major decision and there is no rush that I'm aware of.

* jena-elephas : Uses hadoop 2, guava 11 - I hope I've told the dependabot to ignore these.

It's the Guava bit that I'm unsure about as we have two different dependencies.

== Things that broke:

GeoSPARQL
SIS 0.8 -> 1.0 : test failure
(left at 0.8, JENA-1996)

jena-sdb : hsql v2
  Left at v1

== Notes

1/
Derby 10.15.x.y requires java9, so updated only as far as 10.14.x.y and then dependabot asked to ignore the minor version.
(used for testing by jena-sdb by jena-geosparql)

2/
The updated shade plugin has some new warnings about overlapping files.
It looks safe, needs checking (and maybe there are shading transformers to merge the files).


== Updates done

HttpClient to 4.5.13
commons-lang3 from 3.10 to 3.11
guava 29-jre to 30-jre (shaded)
spatial4j from 0.6 to 0.7
airline.version from 2.1.1 to 2.8.0
jts-core from 1.16.1 to 1.17.1
shiro from 1.5.1 to 1.7.0
jackson from 2.10.1 to 2.11.3
commons-codec 1.14 to 1.15
commons-io from 2.6 to 2.8.0
micrometer from 1.5.5 to 1.6.1
jcommander from 1.72 to 1.78

and plugins.

    Andy

Reply via email to