Hi all, Recently, I opened 2 PRs about removing an unused library[1] and bumping various libraries[2]. I noticed that many dependencies of calcite are outdated. To address this issue, I suggest enabling dependabot[3] to automatically open "bump dependency" PRs and make calcite healthier.
If we enable dependabot, what should we do? - Add `dependabot.yml` to `.github/`. It is straightforward, just follow the instructions in the documentation[4]. - Refactor gradle project files: Dependabot's support for gradle is not sufficient as it only reads the text of `build.gradle.kts`, `build.gradle`, and `settings.gradle.kts` instead of running gradle. Additionally, dependabot can NOT read `gradle.properties`, so we need to refactor the gradle project files. - Ignore some dependencies: Some dependencies cannot be upgraded. For example, I attempted to bump javacc from 4.0 to 7.x, but due to incompatibility caused by the large version span, I had to give up. Also, we cannot upgrade elasticsearch due to licensing restrictions. What is your opinion on dependabot? [1]https://github.com/apache/calcite/pull/3502 [2]https://github.com/apache/calcite/pull/3504 [3] https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates [4] https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#gradle Best, Hongyu
