On 18.03.21 15:38, Andrew Gaul wrote:
On Thu, Mar 18, 2021 at 02:21:57PM +0100, Fritz Elfert wrote:On 18.03.21 12:14, Andrew Gaul wrote:This is something we could experiment with although there are more considerations for upgrading dependencies than simply getting the latest version, as the recent thread about Guava and Guice demonstrates. My experience with these automatic tools is that they work better for applications than frameworks. We would also want to align with other Apache projects -- do we have some similar infrastructure already?dependabot is NOT about simply getting the latest version, but about security vulnerabilities. For example im my fork of jclouds at https://github.com/felfert/jclouds I can see two warnings (only the owner of the repository sees those). For each warning, I also got an email. In addition, dependabot has created a PR for updating jetty. (The other vulnerability does not have a fix yet.) Ok, in this case (jetty being used for tests only) it could be neglected, but I have seen several merged PRs by dependabot in jenkins. Given that it is only visible to repo-owners and is really non-intrusive it should not hurt to switch this on and see if it proves useful.[I notice you only replied to me individually. I would prefer to take this thread back on-group if you reply to me.]
That was not intentional - I just hit the wrong reply-key, sorry. (Replying to the group now).
I understand that dependabot has value, even if you ignore or close the PR, but libraries like jclouds have other considerations. Before jclouds 2.3.0 we maintained compatibility with Java 7 which meant that many suggested dependency upgrades were not valid. We can debate the merits of that policy but it is easy to see how upgrades to Guava, Guice, and other dependencies break some user or another. Again, I am happy to experiment with this. But Aligning with the overall Apache project and reducing dependencies remain priorities.
Understood -Fritz
OpenPGP_0x6E8338980332A6B0.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
