I tend to prefer using the latest versions by default, and using “break glass” overrides to back versions down. I wouldn’t want our users to be stuck on older log4j versions due to unnecessarily loose version constraints from projects like Spring. If we define the minimum version, consumers are required to enumerate and upgrade transitive dependencies themselves when they encounter bugs, which causes undue burden IMO.
I don’t have an opinion about how we handle version upgrades mechanically. Some projects only take bugfixes on patch releases, and larger upgrades on minor version changes. I wouldn’t want to be too prescriptive because there are always counter-examples. At work we’ve used a custom robot similar to dependabot to constantly keep dependencies up to date. This has worked well for us, but we require semver compatibility to avoid friction when upgrades are taken, some OSS projects definitely violate this assumption and shouldn’t be automatically upgraded. -ck > On Sep 17, 2020, at 9:38 PM, Matt Sicker <boa...@gmail.com> wrote: > > I’d like to use it if we can configure it to do those things. Otherwise, we > could disable it and find an alternative bot or service that does allow us > to customize the actions it performs. There’s plenty of other services that > scan dependencies, some of which have free SaaS versions for OSS. > >> On Thu, Sep 17, 2020 at 19:49 Ralph Goers <ralph.go...@dslextreme.com> >> wrote: >> >> I very much like all the emails due to dependabot. Furthermore, if it is >> going to create 25 PRs then it also needs to create Jira issues and include >> updates to changes.xml, otherwise it just creates a lot of work. >> Furthermore, I have never been in favor of updating dependencies versions >> without a compelling reason. >> >> >> >> On the other hand, if it generated reports that we could include in the >> web site indicating we were compatible or if there are problems I would >> find that much more valuable. I would really prefer to have the versions >> set to the lowest version we support but have verified that it runs with >> newer versions. IOW, if dependabot could just perform its test builds and >> document the results that would be great. I also wouldn’t mind if it >> created PRs when a dependency has a CVE and needs to be updated due to that >> (hence increasing the lowest version we support). >> >> >> >> I know Gary loves dependabot and always wants everything at the latest >> version. What do others think? >> >> >> >> Ralph >> >> -- > Matt Sicker <boa...@gmail.com>
