On Wed, 2022-04-06 at 11:35 -0700, Eric Norman wrote: > Perhaps some analysis of whether bumping the dependency version > changes the > generated Import-Package instruction can provide some insight > regarding the > compatibility. If the new version of the dependency only has changes > in > packages that we are not directly using then it should be safeish to > switch.
That is an interesting idea. I have looked if something like this is present in bnd, but apparently it's not. It is somehow related to baselining and I could see this being printed as an INFO message during regular baselining runs. If anyone is interested in pursuing this a good first step would be to open an issue at https://github.com/bndtools/bnd . Thanks, Robert > I would also support changing our process to depend on the lowest > possible > version that doesn't have known vulnerabilities. Perhaps with some > announcement if there are known compatibility issues. > > Regards, > -Eric
