OK - I think it is tamed for now!
A lot of updates, nothing serious showing up. The build became unstable
due to trying to do too much in one go but should now be green - it is
at TravisCI.
Andy
== Process
dependabot is administered by the file
<root>/.github/dependabot.yml
Currently, set to run monthly.
There is no other setting for on/off; if it is there, dependabot runs
This is not all good; it runs for clones of the repo but they don't any
tidy and suppression of unwanted updates.
The "schedule" is required otherwise it could be manual and run from GH
UI via "Insights" -> "Dependency Graph" -> "Dependabot".
== This cycle
There are a couple for major upgrades highlighted:
* Lucene 7 -> 8
* org.osgi.core 5.0.0 -> 6.0.0
(nothing done about them)
Too near to a release for org.osgi.core and Lucene 7->8 is a major
decision and there is no rush that I'm aware of.
* jena-elephas : Uses hadoop 2, guava 11 - I hope I've told the
dependabot to ignore these.
It's the Guava bit that I'm unsure about as we have two different
dependencies.
== Things that broke:
GeoSPARQL
SIS 0.8 -> 1.0 : test failure
(left at 0.8, JENA-1996)
jena-sdb : hsql v2
Left at v1
== Notes
1/
Derby 10.15.x.y requires java9, so updated only as far as 10.14.x.y and
then dependabot asked to ignore the minor version.
(used for testing by jena-sdb by jena-geosparql)
2/
The updated shade plugin has some new warnings about overlapping files.
It looks safe, needs checking (and maybe there are shading transformers
to merge the files).
== Updates done
HttpClient to 4.5.13
commons-lang3 from 3.10 to 3.11
guava 29-jre to 30-jre (shaded)
spatial4j from 0.6 to 0.7
airline.version from 2.1.1 to 2.8.0
jts-core from 1.16.1 to 1.17.1
shiro from 1.5.1 to 1.7.0
jackson from 2.10.1 to 2.11.3
commons-codec 1.14 to 1.15
commons-io from 2.6 to 2.8.0
micrometer from 1.5.5 to 1.6.1
jcommander from 1.72 to 1.78
and plugins.
Andy