Hi all, New releases of dependencies can introduce new bugs for sure. But I think the rationale is generally that on the whole, a new release of dependency Foo is going to fix more than it breaks (otherwise why would the Foo project have done the release).
Particularly since we still have discretion in merging (or ignoring) these PRs, configuring their frequency, etc. I don't have any objections with how things are done currently. Best, Jason On Sun, Apr 2, 2023 at 1:04 AM Kevin Risden <kris...@apache.org> wrote: > > > > > What if latest versions of libraries have vulnerabilities or bugs or > > instabilities that have yet to be uncovered > > > > So by not upgrading to the latest version - you are making the choice to > purposefully avoid known bug fixes and improvements as well. I don't think > any library makes a release on purpose that doesn't address any bugs or > fixes that could be useful. > > Solrbot is aggressively opening dependency upgrade PRs > > > > Aggressively is an interesting characterization. Factually PRs are being > opened on a configurable basis that includes different frequencies for more > often upgraded dependencies (ie: AWS sdk). The PRs are opened so that there > is a lag and its not immediate for new versions. > > The more frequently we upgrade the easier it is to spot issues and > problems. Our randomized tests need time to go through different > combinations of libraries. > > So I am 100% for the approach so far. > > Kevin Risden > > > On Sun, Apr 2, 2023 at 12:04 AM Ishan Chattopadhyaya < > ichattopadhy...@gmail.com> wrote: > > > Solrbot is aggressively opening dependency upgrade PRs. I think the general > > direction we're heading towards is to upgrade all dependency to the latest > > available versions. > > > > Should we pause to rethink if that's the best idea? What if latest versions > > of libraries have vulnerabilities or bugs or instabilities that have yet to > > be uncovered? By letting other projects use them first, and by being > > conservative in upgrading, we can ensure better stability and reliability > > for our releases. > > > > As a search engine, we don't need to upgrade each and every library at the > > earliest opportunity all the time. > > > > Any thoughts? > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org For additional commands, e-mail: dev-h...@solr.apache.org
