ppkarwasz opened a new pull request, #408: URL: https://github.com/apache/logging-parent/pull/408
In #366, we centralized the process for managing NPM dependencies, replacing the decentralized approach. While this change is transparent for most projects, it introduces a chicken-and-egg problem when releasing `logging-parent`: * The website build fetches NPM dependency versions from the GitHub repository based on a specific tag, currently `rel/<version_number>`. * However, for `logging-parent`, the `rel/<version_number>` tag can only be created *after* the release is validated—which requires building the website. To resolve this, we propose using a mutable tag: `site-deps/<version_number>`. This tag will initially point to the commit preceding the release and allow the website build to proceed. Once the release is finalized and the `rel/<version_number>` tag is available, `site-deps/<version_number>` will be updated to match it. ### Security considerations I am not a big fan of using mutable tags. However, previously we had no control on which NPM package versions are used to build the website. Now we lock those dependencies, but we cannot lock the release tag. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
