potiuk commented on issue #15742: URL: https://github.com/apache/iceberg/issues/15742#issuecomment-4122039709
> Dependabot has to be on ASF projects, but there's no requirement to listen to it. It is overoptimistic about backwards compatibility of older versions. At the same time, having every project say "let's just upgrade all our dependencies and let downstream deal with it" would be nice -but only possible with coordinated releases across projects alongside library shading. Correct - how you deal with dependabot is up to you - and you can also configure it - for example - to only propose security patches where security vulnerability is found. I don't think no-one proposes that everyone upgrades to latest versions quickly. We do it in Airflow but only because we have extremely extensive test harness - covering test automation from basic unit tests - to end2end UI tests and everything in between - and often our tests **detect** unintende backwards incompatibilities that dependabot would not even have a chance of being aware of. We have canary builds run every 4 hours - and those canary build are cool with such extensive tests - because this means that we can deal with issues individually when they appear rather than "bunch of those" - but recently even we changed the frequency of ours "ubgrades" to max at 4 days - because it was quite a bit burdensome when several upgrades of the same dep happened in a quick succession - introducing and fixing breaking changes :) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
