I agree with Jason and Kevin that it's better to err on the side of updating dependencies faster than updating them slower.
We have (hopefully) comprehensive testing for a lot of the features that these dependencies are used for, and as Jason said we have ultimate discretion in merging. In general I'm surprised these libraries have so many updates, I was not imagining that we'd get a dozen updates a week. - Houston On Mon, Apr 3, 2023 at 9:01 AM Jason Gerlowski <gerlowsk...@gmail.com> wrote: > Hi all, > > New releases of dependencies can introduce new bugs for sure. But I > think the rationale is generally that on the whole, a new release of > dependency Foo is going to fix more than it breaks (otherwise why > would the Foo project have done the release). > > Particularly since we still have discretion in merging (or ignoring) > these PRs, configuring their frequency, etc. I don't have any > objections with how things are done currently. > > Best, > > Jason > > On Sun, Apr 2, 2023 at 1:04 AM Kevin Risden <kris...@apache.org> wrote: > > > > > > > > What if latest versions of libraries have vulnerabilities or bugs or > > > instabilities that have yet to be uncovered > > > > > > > So by not upgrading to the latest version - you are making the choice to > > purposefully avoid known bug fixes and improvements as well. I don't > think > > any library makes a release on purpose that doesn't address any bugs or > > fixes that could be useful. > > > > Solrbot is aggressively opening dependency upgrade PRs > > > > > > > Aggressively is an interesting characterization. Factually PRs are being > > opened on a configurable basis that includes different frequencies for > more > > often upgraded dependencies (ie: AWS sdk). The PRs are opened so that > there > > is a lag and its not immediate for new versions. > > > > The more frequently we upgrade the easier it is to spot issues and > > problems. Our randomized tests need time to go through different > > combinations of libraries. > > > > So I am 100% for the approach so far. > > > > Kevin Risden > > > > > > On Sun, Apr 2, 2023 at 12:04 AM Ishan Chattopadhyaya < > > ichattopadhy...@gmail.com> wrote: > > > > > Solrbot is aggressively opening dependency upgrade PRs. I think the > general > > > direction we're heading towards is to upgrade all dependency to the > latest > > > available versions. > > > > > > Should we pause to rethink if that's the best idea? What if latest > versions > > > of libraries have vulnerabilities or bugs or instabilities that have > yet to > > > be uncovered? By letting other projects use them first, and by being > > > conservative in upgrading, we can ensure better stability and > reliability > > > for our releases. > > > > > > As a search engine, we don't need to upgrade each and every library at > the > > > earliest opportunity all the time. > > > > > > Any thoughts? > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org > For additional commands, e-mail: dev-h...@solr.apache.org > >
