I've made two new releases for credentials since then (2.2.1 and 2.3.0, the latter of which was released just yesterday). Also, I started using that bom in credentials-plugin, so it's somewhat amusing that it imports a dependencyManagement for itself, though it doesn't appear to adversely affect the build at all.
On Mon, Aug 26, 2019 at 4:11 PM Jesse Glick <[email protected]> wrote: > > On Mon, Aug 26, 2019 at 4:46 PM Mark Waite <[email protected]> wrote: > > I've generally preferred to keep the dependency at oldest version I can > > reasonably trust. > > Well, the BOM is designed to give you the newest version compatible > with your LTS line. > > > I believe in this case that the credentials plugin 2.2.0 is the required > > dependency from the BOM because it is the version which includes the most > > recent security fix for the credentials plugin. > > No, it is just the latest available version according to Dependabot. > > > Am I correct [that using the BOM] means [users] will generally have newer > > dependencies than they did in the past? > > Yes. > > Now as to whether you _want_ to publish new releases of one plugin > that depend only on old releases of another plugin, this is certainly > a matter of judgment. You would be offering a special benefit to the > user that spends an hour looking over the *Updates* tab, poring > through release notes, and hand-picking certain updates according to > features or fixes they think they want. But your plugin’s tests will > only be verifying compatibility with a rather old snapshot of the > Jenkins ecosystem, and you will likely even be writing new code which > calls APIs that were deprecated years ago. > > The assumption behind the BOM is that most people just accept all > updates most of the time, and if something breaks they will just roll > everything back, or tolerate it until a fix is released; plugin > maintainers should “fixing forward”. (Jenkins core is somewhat > artificially given a special position in this view, as something that > is cumbersome and particularly risky to update.) > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr2FysL-2e6PPtkdHHYXFEJkFhhcstK1BV3eu-WWLT%3Dopw%40mail.gmail.com. -- Matt Sicker Senior Software Engineer, CloudBees -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oxccC6CrehBM%2BFjgXyXTUM2x%2BNgV9pUzr284RBzMdPcHw%40mail.gmail.com.
