Hi Ben, I started experimenting with gradle-versions-plugin, and it produces this report: https://gist.github.com/janhoy/91acf9ebb856bf1a97c4cf1ff68b8c6e
Looks really useful. Perhaps you can comment on why it fails to find the version for org.apache.httpcomponents:httpmime and also fails to determine lastest version for a whole lot dependencies like org.eclipse.jetty:jetty-http ? We use the com.palantir.consistent-versions plugin, so versions are not declared in gradle files. If we can get it working for all our dependencies, I plan to add it to our top build.gradle, and run it with Jenkins. Would there be any benefit of triggering it with GitHub actions? PR: https://github.com/apache/solr/pull/707 Jan > 18. mai 2021 kl. 01:36 skrev Benjamin Manes <[email protected]>: > > Hi Solr team, > > I noticed that your project is pinned to an older version of Caffeine > (v2.8.4, latest is v3.0.2). Both projects have moved to JDK11 in their latest > major version. For Caffeine this allowed us to remove sun.misc.Unsafe in > favor of VarHandles. I mention this because Andrzej Białecki specifically > raised a concern about our use of Unsafe for Solr [1], but we could not > address it then due to being on JDK8. For maintenance and support, it would > be great if you can upgrade your dependencies regularly. > > On that note, you might want to set up a periodic report to discover > dependency updates. Keeping the build healthy can help avoid bugs and future > incompatibility pains, but does risk suffering from newly introduced errors. > Unfortunately Github's dependabot has poor Gradle support so the community > continues to use the older gradle-versions-plugin [2], e.g. through a github > action [3]. This plugin scripts Gradle's dependency management to generate a > text or json report of possible upgrades based on the configured selection > rules. Using this or something similar should let the team be more aware of > possible upgrades and make the appropriate decisions. The plugin is agnostic > to how you manage and store dependency versions, it merely reports based on > what the build evaluates to. > > Cheers, > Ben > > [1] https://github.com/ben-manes/caffeine/issues/273#issuecomment-557197399 > <https://github.com/ben-manes/caffeine/issues/273#issuecomment-557197399> > [2] https://github.com/ben-manes/gradle-versions-plugin > <https://github.com/ben-manes/gradle-versions-plugin> > [3] https://github.com/marketplace/actions/gradle-update-checker > <https://github.com/marketplace/actions/gradle-update-checker>
