Re: can we get rid of dependabot?

Think for version plugin it is solved already so maybe just config to do so we are all good :): https://www.mojohaus.org/versions-maven-plugin/rule.html Romain Manni-Bucau @rmannibucau | Blog | Old Blog

Re: can we get rid of dependabot?

Versions maven plugin missing the option to skip alpha/beta/rc :) from mobile (sorry for typos ;) On Wed, Dec 29, 2021, 05:28 Romain Manni-Bucau wrote: > Not sure, guess you have dependabot oovers and haters but let stay simple: > > 1. If maven version plugin does not do its job let's fix it,

Re: can we get rid of dependabot?

Snyk can alert on CVEs and it also can sent summary reports, but not sure if it works good with organizational repositories and for open source organisations. https://github.com/ecki/commons-vfs/pull/9 But +1 for getting rid of those notifications. Gruss Bernd -- http://bernd.eckenfels.net __

Re: can we get rid of dependabot?

+1, I agree that dependabot (rhymes with spamalot) should disabled entirely. Unfortunately moving the notification emails to a separate list won't stop the noise, unless committers ignore the PRs it creates. In which case, there's really no point in having it. What we need is notifications ONLY w

Re: can we get rid of dependabot?

There is nothing to fix in Maven: Maven does not create a branch, run the GitHub Actions builds, and email you a report. Maven tells you what could be updated, that's it, and it works great. Apple and oranges. Gary On Tue, Dec 28, 2021 at 5:28 PM Romain Manni-Bucau wrote: > Not sure, guess you

Re: can we get rid of dependabot?

Not sure, guess you have dependabot oovers and haters but let stay simple: 1. If maven version plugin does not do its job let's fix it, 2. If release manager handles dep check before the release as most asf project, let's drop dependabot, 3. If not and dependabot is acgually useful let's make it m

Re: can we get rid of dependabot?

I think most people like me actually do not hate dependabot but hate the email flood and notification flood it brings... XenoAmess From: Xeno Amess Sent: Wednesday, December 29, 2021 6:01:58 AM To: Commons Developers List Subject: Re: can we get rid of dependabo

Re: can we get rid of dependabot?

junit 5 rc for example XenoAmess From: Xeno Amess Sent: Wednesday, December 29, 2021 6:01:35 AM To: Commons Developers List Subject: Re: can we get rid of dependabot? versions maven plugin's problem is it will bring you latest release，even rc release... XenoAm

Re: can we get rid of dependabot?

versions maven plugin's problem is it will bring you latest release，even rc release... XenoAmess From: Xeno Amess Sent: Wednesday, December 29, 2021 6:00:40 AM To: Commons Developers List Subject: Re: can we get rid of dependabot? dependabot is useful but depen

Re: can we get rid of dependabot?

dependabot is useful but dependabot email is annoying. can we find a solution and kill the dependabot emails？ XenoAmess From: Mark Thomas Sent: Wednesday, December 29, 2021 5:52:54 AM To: dev@commons.apache.org Subject: Re: can we get rid of dependabot? +1 And

Re: can we get rid of dependabot?

+1 And it isn't just the notifications an upgrade is available. The associated GitHub emails are just as much of a problem. The Versions Maven Plugin would be a much better solution to this problem. - Run it once as part of the pre-release process. - One commit to apply all pending updates. -

Re: [VOTE] Release Apache Commons JCS 3.1 based on RC1

Sent off-list. Used GMail for my @apache.org email (too lazy to migrate all my yahoo subscriptions over there). It has a zip attachment, so not sure if it will be in your inbox or spam folder, but it should arrive in a few minutes/hours. Cheers Bruno On Wednesday, 29 December 2021, 05:44:3

Re: can we get rid of dependabot?

Le mar. 28 déc. 2021 à 19:57, Gary Gregory a écrit : > > Please no. Dependabot is a key tool for me. Inbox rules should be able to > help you depending on your client. > > Someone had suggested creating a new mailing lists for bots/tools a while > back but it never happened. It was more than a su

Re: can we get rid of dependabot?

Please no. Dependabot is a key tool for me. Inbox rules should be able to help you depending on your client. Someone had suggested creating a new mailing lists for bots/tools a while back but it never happened. Gary On Tue, Dec 28, 2021 at 1:20 PM Phil Steitz wrote: > I can no longer effective

Re: can we get rid of dependabot?

+1, a lot of false positives and useless noise so the gain is rather not positive for me too (and we revew deps before a release anyway...when there are some important ones) Romain Manni-Bucau @rmannibucau | Blog | Old Blog

can we get rid of dependabot?

I can no longer effectively monitor commits@ due to the spam generated by this tool.  I am afraid my eyeballs aren't the only ones going missing here and that is a problem much more severe than any value provided by this tool, IMO. Phil

Re: [VOTE] Release Apache Commons JCS 3.1 based on RC1

> Am 28.12.2021 um 13:01 schrieb Bruno P. Kinoshita > : > > `mvn clean test install site` took a few minutes, but it just finished > running. Below the error that just happened again on my environment (appears > to be consistent for me): > > [INFO] Results: > [INFO] > [ERROR] Failures: > [ER

Re: [VOTE] Release Apache Commons JCS 3.1 based on RC1

Hi Thomas, I'm using my old Thinkpad, with Ubuntu LTS 20.04, JDK 11 and Maven 3.8. Apache Maven 3.8.2 (ea98e05a04480131370aa0c110b8c54cf726c06f) Maven home: /opt/apache-maven-3.8.2 Java version: 11.0.13, vendor: Ubuntu, runtime: /usr/lib/jvm/java-11-openjdk-amd64 Default locale: en_US, platform e

Re: [VOTE] Release Apache Commons JCS 3.1 based on RC1

Hi Bruno. > Am 24.12.2021 um 02:00 schrieb Bruno P. Kinoshita > : > > [ERROR] SerializerUnitTest.testReadWrite:116 [key:0] should not be null, > Region Name = blockRegion2 Can you reproduce the failure (because I can't)? Some of the concurrent tests are timing sensitive. If you can reproduc