github started to auto-create PRs like this: [1] this feature is nice for standalone projects keeping their deps up-to-date - but in our case it usually means the minimum API version of a dependency we compile against, and not the version of the dependency we are running in our OSGi container with.
so for most our modules (except e.g. maven plugins) i think we do not want this. we cannot switch this feature globally off as we have no access to the security area in the github project settings [2]. we could "talk back" to the bot telling him to ignore this actual dependency (but not all for the project). WDYT? stefan [1] https://github.com/apache/sling-org-apache-sling-models-jacksonexporter/pull/2 [2] https://github.com/apache/sling-org-apache-sling-models-jacksonexporter/network/alerts
