I wouldn't aim for an exhaustive list. Your compilation is better than what we have right now, which is nothing. If we encounter something new, we can extend this list.
I think your changes could very well live in the official repository. I don't think the disruption is big enough to warrant work in a fork. But you can decide this yourself. On Mon, Feb 6, 2023 at 9:37 AM Piotr P. Karwasz <piotr.karw...@gmail.com> wrote: > Hi Volkan, > > On Mon, 6 Feb 2023 at 08:55, Volkan Yazıcı <vol...@yazi.ci> wrote: > > > > You can configure dependabot to ignore certain major versions or update > > types > > < > https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#specifying-dependencies-and-versions-to-ignore > > > > : > > > > ... > > > > Doesn't this help you with your concern? > > That is exactly what I have done: > > https://github.com/ppkarwasz/logging-log4j2/blob/2.x/.github/dependabot.yml > > My main concern is: > > * is this list (mostly) complete? > * for some dependencies (e.g. `slf4j-api`) we use multiple (1.7.25, > latest 1.7.x and latest 2.x) versions depending on the module. > > I'll let Dependabot run for a couple of weeks on my fork, before > submitting a PR to the main repo. > > Piotr >
