Fokko commented on PR #2784: URL: https://github.com/apache/thrift/pull/2784#issuecomment-1508131776
@Jens-G > Don't we have dependabot already? And why only Java? Github does create PRs for bumping libraries that have security holes, but for the regular updates, you need to enable it explicitly by adding the file. I'm comfortable with Java, and I t think we can add more languages later on. @ctubbsii I see your concern. My argument to that would be that you don't want to do all the updates just before a release as something might have broken you want to know earlier. I would argue that it will reduce the work because you don't have to look up the latest version, and you only have to merge the PR that's being created by Dependabot. As I said, I have seen this work well on other projects, and I would recommend giving it a try. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
