Re: [DISCUSS] Automatically Merge Dependency Updates
Sorry I missed this before. I don't think automatically updating is a good thing to do. Other projects downstream, like Iceberg, are strict about pulling in updated dependencies. Iceberg, for example, should only pull in patch releases from dependencies in minor releases and should not update patch release versions unless it is really critical. We can often use semver to vet the possible changes, but not all projects follow semver and there are often mistakes. I'm concerned that automatically pulling in updates removes human judgement. Does the project that is being updated follow semver? Does it have a good history of not making breaking changes in patch releases? Is this a patch release or a point release? I highly prefer a human making those calls. rb On Sun, Jan 31, 2021 at 11:40 AM Driesprong, Fokko wrote: > Hi Ismaël, > > Thanks for working on this! I haven't seen many projects doing this, but I > like the idea! I'm all in favor of this! > > Cheers, Fokko > > Op zo 31 jan. 2021 om 14:06 schreef Ismaël Mejía : > > > Since I opened this discussion ~1 month ago I had the time to revisit > > the process and my 'new' conclusion is that self merging is probably > > going too much into automation at this point. I updated the dependency > > updates to run once per week and merged most of the Java PRs, so it > > should be less noise starting from now. So let's better not do this, > > other ecosystems change but it is not as fast as was worried about. > > > > We have however many open PRs for Ruby, C# and JS, so if any of the > > contributors can sit and help with reviews/merges it would be great. > > Notice that the JS case in particular requires probably to sync the > > dependency updates because of conflicts between dependencies. > > > > > > On Mon, Jan 4, 2021 at 11:59 AM Ismaël Mejía wrote: > > > > > > We enabled recently dependabot to automate dependency upgrades [1]. > > Results so > > > far seem good including having new CVEs alerts! > > > > > > Maybe we could automate further by auto merging the PRs given some > > conditions > > > like a whitelist of dependencies that are now stable enough and when > > tests are > > > green we shall not have problems. > > > > > > It seems github now has an option to do this [2] so I was wondering > what > > other > > > members of the community thought and if you see any possible > > issue/drawbacks > > > before starting any work on this. > > > > > > [1] > > > https://lists.apache.org/thread.html/r2a175f8b96dd7a556cf1b7438a5c8efcacdd4a06080926142734%40%3Cdev.avro.apache.org%3E > > > [2] > > > https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/automatically-merging-a-pull-request > > > -- Ryan Blue Software Engineer Netflix
Re: [DISCUSS] Automatically Merge Dependency Updates
Hi Ismaël, Thanks for working on this! I haven't seen many projects doing this, but I like the idea! I'm all in favor of this! Cheers, Fokko Op zo 31 jan. 2021 om 14:06 schreef Ismaël Mejía : > Since I opened this discussion ~1 month ago I had the time to revisit > the process and my 'new' conclusion is that self merging is probably > going too much into automation at this point. I updated the dependency > updates to run once per week and merged most of the Java PRs, so it > should be less noise starting from now. So let's better not do this, > other ecosystems change but it is not as fast as was worried about. > > We have however many open PRs for Ruby, C# and JS, so if any of the > contributors can sit and help with reviews/merges it would be great. > Notice that the JS case in particular requires probably to sync the > dependency updates because of conflicts between dependencies. > > > On Mon, Jan 4, 2021 at 11:59 AM Ismaël Mejía wrote: > > > > We enabled recently dependabot to automate dependency upgrades [1]. > Results so > > far seem good including having new CVEs alerts! > > > > Maybe we could automate further by auto merging the PRs given some > conditions > > like a whitelist of dependencies that are now stable enough and when > tests are > > green we shall not have problems. > > > > It seems github now has an option to do this [2] so I was wondering what > other > > members of the community thought and if you see any possible > issue/drawbacks > > before starting any work on this. > > > > [1] > https://lists.apache.org/thread.html/r2a175f8b96dd7a556cf1b7438a5c8efcacdd4a06080926142734%40%3Cdev.avro.apache.org%3E > > [2] > https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/automatically-merging-a-pull-request >
Re: [DISCUSS] Automatically Merge Dependency Updates
Since I opened this discussion ~1 month ago I had the time to revisit the process and my 'new' conclusion is that self merging is probably going too much into automation at this point. I updated the dependency updates to run once per week and merged most of the Java PRs, so it should be less noise starting from now. So let's better not do this, other ecosystems change but it is not as fast as was worried about. We have however many open PRs for Ruby, C# and JS, so if any of the contributors can sit and help with reviews/merges it would be great. Notice that the JS case in particular requires probably to sync the dependency updates because of conflicts between dependencies. On Mon, Jan 4, 2021 at 11:59 AM Ismaël Mejía wrote: > > We enabled recently dependabot to automate dependency upgrades [1]. Results so > far seem good including having new CVEs alerts! > > Maybe we could automate further by auto merging the PRs given some conditions > like a whitelist of dependencies that are now stable enough and when tests are > green we shall not have problems. > > It seems github now has an option to do this [2] so I was wondering what other > members of the community thought and if you see any possible issue/drawbacks > before starting any work on this. > > [1] > https://lists.apache.org/thread.html/r2a175f8b96dd7a556cf1b7438a5c8efcacdd4a06080926142734%40%3Cdev.avro.apache.org%3E > [2] > https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/automatically-merging-a-pull-request
[DISCUSS] Automatically Merge Dependency Updates
We enabled recently dependabot to automate dependency upgrades [1]. Results so far seem good including having new CVEs alerts! Maybe we could automate further by auto merging the PRs given some conditions like a whitelist of dependencies that are now stable enough and when tests are green we shall not have problems. It seems github now has an option to do this [2] so I was wondering what other members of the community thought and if you see any possible issue/drawbacks before starting any work on this. [1] https://lists.apache.org/thread.html/r2a175f8b96dd7a556cf1b7438a5c8efcacdd4a06080926142734%40%3Cdev.avro.apache.org%3E [2] https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/automatically-merging-a-pull-request
