One other thing. We have gotten in the habit of creating an “umbrella” Jira issue to capture dependency changes within a release. We need to ensure whatever is committed by Dependabot is also captured.
Ralph > On Dec 2, 2022, at 10:05 AM, Matt Sicker <m...@musigma.org> wrote: > > This definitely looks like an interesting idea! Minor updates should patch > fairly painlessly, and we can form a list of dependencies over time that > shouldn’t auto-update. > >> On Dec 2, 2022, at 7:10 AM, Volkan Yazıcı <vol...@yazi.ci> wrote: >> >> In the context of LOG4J2-3628 (replacing `maven-changes-plugin`), I am >> overhauling the `log4j-tools` project. I have done something, if I may say, >> A-W-E-S-O-M-E, which I would like to repeat for Log4j too at some point: >> https://github.com/apache/logging-log4j-tools/pull/5 >> >> What is exactly happening in this PR? dependabot creates a PR for a >> dependency update, CI executes the tests, tests succeed, CI merges the PR, >> and publishes the built SNAPSHOT artifact. No more manual dependency >> updates! >
