Dependabot is a bot on Github that opens PRs to automatically upgrade
out of date dependencies to fix security issues. Recently, Github
acquired dependabot and is gradually enabling the bot on all repositories.
It just opened a PR to upgrade a few dependencies in the Avatica
repository: https://github.com/apache/calcite-avatica/pull/114
I'd like to start some discussion as to how we should deal with these
PRs. For some background, dependency upgrades should usually have a jira
issue number assigned, so that the change is fully trackable. We
recently had some discussion regarding trivial fixes to documentation
and the consensus was that changes to the code is not considered to be
trivial and that an issue should be filed on jira.
If we will not merge these PRs, I think it makes sense to ask infra to
disable them. Having these open PRs and then closing them manually seem
to generate a lot of noise. According to the documentation for
dependabot [1] it appears that we can either opt out of having
dependabot opening PRs completely or have it open PRs. There is no
middle-ground where dependabot/Github sends members of the repo a
notification for security issues, but do not open any PRs.
What do you guys think?
Francis
[1] https://help.github.com/en/articles/configuring-automated-security-fixes
