(sent the initial email from the wrong account, please reply to _this_ email)
On Wed, 2022-04-06 at 13:47 +0000, Robert Munteanu wrote: > Hi, > > We will start getting dependabot PRs for our sling modules, for > instance > > https://github.com/apache/sling-org-apache-sling-xss/pull/18 > > While I understand the reasoning behind this service, in Sling we > have > long had a policy of depending on the lowest possible version of the > API, to ensure that our bundles are deployed in the widest possible > range of environments. > > The situation is different for embedded bundles, but that is an edge > case compared to our regular usage of dependencies. > > I suggest that we hold off merging these PRs for now, and if anyone > thinks otherwise we should discuss and potentially amend our > practices. > > Thanks, > Robert
