I agree with Jason and Kevin that it's better to err on the side of
updating dependencies faster than updating them slower.

We have (hopefully) comprehensive testing for a lot of the features that
these dependencies are used for, and as Jason said we have ultimate
discretion in merging.

In general I'm surprised these libraries have so many updates, I was not
imagining that we'd get a dozen updates a week.

- Houston

On Mon, Apr 3, 2023 at 9:01 AM Jason Gerlowski <gerlowsk...@gmail.com>
wrote:

> Hi all,
>
> New releases of dependencies can introduce new bugs for sure.  But I
> think the rationale is generally that on the whole, a new release of
> dependency Foo is going to fix more than it breaks (otherwise why
> would the Foo project have done the release).
>
> Particularly since we still have discretion in merging (or ignoring)
> these PRs, configuring their frequency, etc. I don't have any
> objections with how things are done currently.
>
> Best,
>
> Jason
>
> On Sun, Apr 2, 2023 at 1:04 AM Kevin Risden <kris...@apache.org> wrote:
> >
> > >
> > > What if latest versions of libraries have vulnerabilities or bugs or
> > > instabilities that have yet to be uncovered
> > >
> >
> > So by not upgrading to the latest version - you are making the choice to
> > purposefully avoid known bug fixes and improvements as well. I don't
> think
> > any library makes a release on purpose that doesn't address any bugs or
> > fixes that could be useful.
> >
> > Solrbot is aggressively opening dependency upgrade PRs
> > >
> >
> > Aggressively is an interesting characterization. Factually PRs are being
> > opened on a configurable basis that includes different frequencies for
> more
> > often upgraded dependencies (ie: AWS sdk). The PRs are opened so that
> there
> > is a lag and its not immediate for new versions.
> >
> > The more frequently we upgrade the easier it is to spot issues and
> > problems. Our randomized tests need time to go through different
> > combinations of libraries.
> >
> > So I am 100% for the approach so far.
> >
> > Kevin Risden
> >
> >
> > On Sun, Apr 2, 2023 at 12:04 AM Ishan Chattopadhyaya <
> > ichattopadhy...@gmail.com> wrote:
> >
> > > Solrbot is aggressively opening dependency upgrade PRs. I think the
> general
> > > direction we're heading towards is to upgrade all dependency to the
> latest
> > > available versions.
> > >
> > > Should we pause to rethink if that's the best idea? What if latest
> versions
> > > of libraries have vulnerabilities or bugs or instabilities that have
> yet to
> > > be uncovered? By letting other projects use them first, and by being
> > > conservative in upgrading, we can ensure better stability and
> reliability
> > > for our releases.
> > >
> > > As a search engine, we don't need to upgrade each and every library at
> the
> > > earliest opportunity all the time.
> > >
> > > Any thoughts?
> > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org
> For additional commands, e-mail: dev-h...@solr.apache.org
>
>

Reply via email to