ICLAs aren't required for trivial contributions, though they are required for committers. Are bots committers? Alternatively, if we only merge PRs from the bot using the Merge button rather than the @dependabot comment commands, then that ensures a committer is the one who introduces the merge commit itself into the git repo.
As for dependencies, I've been facing an opposite constraint: the endless security scanners complaining about every possible CVE or proprietary vulnerability published about OSS libraries that have patches available. As more and more companies embrace security, one of the low-hanging fruits of software development is keeping dependencies up to date [1]. As for ensuring things still work in older versions of a library, perhaps we should have some way to run tests with old versions of the library periodically to ensure we aren't breaking compatibility unnecessarily. [1]: https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities On Wed, 29 Jul 2020 at 14:45, Ralph Goers <ralph.go...@dslextreme.com> wrote: > > Hmm. Did dependabot sign an ICLA? As secretary you should know ;-) > > I’m concerned about what impression it gives users regarding compatibility > with prior versions of dependencies. Almost nobody stays completely current > on everything. It is too time consuming. I’m also concerned if we have to > make modifications to support a new release as that implies the newer release > is not backward compatible os users would be locked in. Fortunately, that > has rarely happened to us, at least as far as I am aware, but I do know that > Spring seems to run into this frequently - or at least the users of Spring do. > -- Matt Sicker <boa...@gmail.com>
