Hi, Hongyu. Your idea is great and you also introduced the steps to use it.
We need more feedback about benefits and risks from calcite users. # What are the benefits? - Quickly fix dependency vulnerabilities. - Balancing the workload of each upgrade(Not 4.0 to 7.x). - ... # What are the risks? - The latest version may be unstable. - The burden of upgrading Calcite for users has increased. - ... For me, the risks are acceptable. I am willing to help you complete this work. On Sat, 4 Nov 2023 at 21:04, Hongyu Guo <[email protected]> wrote: > Hi all, > > Recently, I opened 2 PRs about removing an unused library[1] and bumping > various libraries[2]. I noticed that many dependencies of calcite are > outdated. To address this issue, I suggest enabling dependabot[3] to > automatically open "bump dependency" PRs and make calcite healthier. > > If we enable dependabot, what should we do? > > - Add `dependabot.yml` to `.github/`. It is straightforward, just follow > the instructions in the documentation[4]. > - Refactor gradle project files: Dependabot's support for gradle is not > sufficient as it only reads the text of `build.gradle.kts`, `build.gradle`, > and `settings.gradle.kts` instead of running gradle. Additionally, > dependabot can NOT read `gradle.properties`, so we need to refactor the > gradle project files. > - Ignore some dependencies: Some dependencies cannot be upgraded. For > example, I attempted to bump javacc from 4.0 to 7.x, but due to > incompatibility caused by the large version span, I had to give up. Also, > we cannot upgrade elasticsearch due to licensing restrictions. > > What is your opinion on dependabot? > > [1]https://github.com/apache/calcite/pull/3502 > [2]https://github.com/apache/calcite/pull/3504 > [3] > > https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/about-dependabot-version-updates > [4] > > https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#gradle > > Best, > Hongyu >
