Thanks Robert for the proposal. +1 to enable automatic dependency management. I don't have enough experience to decide which one to choose. I'm leaning toward something easy to maintain.
Yufei On Wed, Sep 4, 2024 at 1:01 PM Robert Stupp <sn...@snazy.de> wrote: > Hi all, > > I'd like to propose to use automatic dependency management in Apache > Polaris and start a discussion about this topic first. > > Keeping dependencies up-to-date is a quite important - it helps to not > (or better: less likely) run into security issues or bugs in > dependencies. Continuously keeping dependencies up-to-date also keeps > the amount of code changes due to updated dependencies down to a > manageable amount of work - most of the time within the > dependency-version-bump PR. > > > There are two options that I can think of: > > ## Renovate > > Renovate [1] is a highly customizable dependency management tool. We are > using it in projectnessie [4] for all projects for quite some time and > are very happy with it. It just works and does its job for years now. > Particularly the amount of flexibility and functionality it brings is > really nice. > > Renovate can update dependencies for all kinds of what they call > "managers" [2] - e.g. for Java: Gradle, Gradle Wrapper, or for Python: > pip, poetry, or Docker images: Dockerfile, Compose, etc. > > Different versioning schemes are supported (not just semver). > > The Renovate bot comes along each repository approximately every 3 > hours. It has configurable limits for the amount of open PRs, PRs > created per hour and a ton more options. Dependency updates can cause a > PR immediately or at any schedule that's needed - even configured down > to the level of individual dependencies. > > It can approve PRs automatically and enable automerge. Those can also be > configured individually. Similarly the the kind of version bump > (major/minor/patch) that requires manual approval over automatic > approval + automerge. > > Thinking a bit ahead in time - when (if) there are multiple version > branches to maintain (e.g. branches for version 1.x, 1.1.x, 2.x, etc): > With Renovate it's possible to get dependency updates even for those > version branches - "down-scoped" to patch-version bumps only, if > configured that way. This could be used to get all the patch version > dependency updates in version branches automatically. > > The dependency dashboard (example: [3]) that Renovate opens as a GitHub > issue, provides a concise overview of dependencies that are scheduled, > have been manually edited, are currently open or are ignored/blocked (by > closing the PR, to re-create the PR). > > ## Dependabot > > Dependabot supports less "ecosystems", but probably enough for Polaris. > Historically, Dependabot didn't do a good job with Gradle version > catalogs, but the situation might have improved since the last time I > checked it. > > Overall, compared to Renovate, it has IMO limited flexibility. It seems > (I never tried it) that the flexibility especially for multiple "managed > branches" is not that flexible, if present at all. > > > What's your opinion on this topic? > > > Robert > > [1] https://docs.renovatebot.com/ > > [2] https://docs.renovatebot.com/modules/manager/ > > [3] https://github.com/projectnessie/nessie/issues/5255 > > [4] > https://github.com/projectnessie/nessie/blob/main/.github/renovate.json5 > > -- > Robert Stupp > @snazy > >
