Sorry I missed this before. I don't think automatically updating is a good thing to do. Other projects downstream, like Iceberg, are strict about pulling in updated dependencies. Iceberg, for example, should only pull in patch releases from dependencies in minor releases and should not update patch release versions unless it is really critical. We can often use semver to vet the possible changes, but not all projects follow semver and there are often mistakes.
I'm concerned that automatically pulling in updates removes human judgement. Does the project that is being updated follow semver? Does it have a good history of not making breaking changes in patch releases? Is this a patch release or a point release? I highly prefer a human making those calls. rb On Sun, Jan 31, 2021 at 11:40 AM Driesprong, Fokko <[email protected]> wrote: > Hi Ismaël, > > Thanks for working on this! I haven't seen many projects doing this, but I > like the idea! I'm all in favor of this! > > Cheers, Fokko > > Op zo 31 jan. 2021 om 14:06 schreef Ismaël Mejía <[email protected]>: > > > Since I opened this discussion ~1 month ago I had the time to revisit > > the process and my 'new' conclusion is that self merging is probably > > going too much into automation at this point. I updated the dependency > > updates to run once per week and merged most of the Java PRs, so it > > should be less noise starting from now. So let's better not do this, > > other ecosystems change but it is not as fast as was worried about. > > > > We have however many open PRs for Ruby, C# and JS, so if any of the > > contributors can sit and help with reviews/merges it would be great. > > Notice that the JS case in particular requires probably to sync the > > dependency updates because of conflicts between dependencies. > > > > > > On Mon, Jan 4, 2021 at 11:59 AM Ismaël Mejía <[email protected]> wrote: > > > > > > We enabled recently dependabot to automate dependency upgrades [1]. > > Results so > > > far seem good including having new CVEs alerts! > > > > > > Maybe we could automate further by auto merging the PRs given some > > conditions > > > like a whitelist of dependencies that are now stable enough and when > > tests are > > > green we shall not have problems. > > > > > > It seems github now has an option to do this [2] so I was wondering > what > > other > > > members of the community thought and if you see any possible > > issue/drawbacks > > > before starting any work on this. > > > > > > [1] > > > https://lists.apache.org/thread.html/r2a175f8b96dd7a5533336cf1b7438a5c8efcacdd4a06080926142734%40%3Cdev.avro.apache.org%3E > > > [2] > > > https://docs.github.com/en/free-pro-team@latest/github/collaborating-with-issues-and-pull-requests/automatically-merging-a-pull-request > > > -- Ryan Blue Software Engineer Netflix
