rmannibucau commented on pull request #64: URL: https://github.com/apache/johnzon/pull/64#issuecomment-755966227
@cesarhernandezgt sure we can whitelist 2-3 dependencies/plugins and we can surely drop some dependencies but overall it will be only a few. Personally I focus on transitive dependencies for the end users, rest is part of the project IMHO and updated at need for spec projects. I'm more than fine to enable dependabot but before doing it I'd like a process to ensure 1. mail don't go to dev/commit lists + 2. there is somebody to handle all these changes. Today we handle it before doing a release generally if we judge it makes sense (for ex, upgrading junit 4.12 to 4.13 does not since we wouldnt use the new features yet but if writing a test we need it then it would make sense to be clear). So to summarize *my* point, I am fine having such a automotion if there is a process associated to hit and it is not just mail sent to a sink list ;). ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
