This definitely looks like an interesting idea! Minor updates should patch fairly painlessly, and we can form a list of dependencies over time that shouldn’t auto-update.
> On Dec 2, 2022, at 7:10 AM, Volkan Yazıcı <vol...@yazi.ci> wrote: > > In the context of LOG4J2-3628 (replacing `maven-changes-plugin`), I am > overhauling the `log4j-tools` project. I have done something, if I may say, > A-W-E-S-O-M-E, which I would like to repeat for Log4j too at some point: > https://github.com/apache/logging-log4j-tools/pull/5 > > What is exactly happening in this PR? dependabot creates a PR for a > dependency update, CI executes the tests, tests succeed, CI merges the PR, > and publishes the built SNAPSHOT artifact. No more manual dependency > updates!
