On Thu, Sep 17, 2020 at 8:49 PM Ralph Goers <ralph.go...@dslextreme.com> wrote:
> I very much like all the emails due to dependabot. Furthermore, if it is > going to create 25 PRs then it also needs to create Jira issues and include > updates to changes.xml, otherwise it just creates a lot of work. > Furthermore, I have never been in favor of updating dependencies versions > without a compelling reason. > > On the other hand, if it generated reports that we could include in the > web site indicating we were compatible or if there are problems I would > find that much more valuable. I would really prefer to have the versions > set to the lowest version we support but have verified that it runs with > newer versions. IOW, if dependabot could just perform its test builds and > document the results that would be great. This is basically what we have enabled for most components over at Apache Commons. Each component first started with the file .github/workflows/maven.yml which let GitHub run builds for PR and branches. Then we added .github/dependabot.yml which let Dependabot create PRs (from branches). Once in a while I look at PRs like I would any set of PRs and decide what to bring in. Just like any other PR, once I bring one in, I add an entry to changes.xml. I do not create Jiras if there is none for a PR as I see no benefit since some of the site and release notes are generated based on changes.xml. The site also generates a page from JIRA but there is no sync of changes.xml and JIRA. Gary > I also wouldn’t mind if it created PRs when a dependency has a CVE and > needs to be updated due to that (hence increasing the lowest version we > support). > > I know Gary loves dependabot and always wants everything at the latest > version. What do others think? > > Ralph >
