Hi Gary, On 15.11.2025 19:12, Gary Gregory wrote: > -1 I please that's a component that I am actively maintaining and releasing.
I’m with Sebb on this one (see [1]). While Commons IO does have releases every 3–4 months, this year we’ve seen 71 Dependabot PRs [2] compared to 32 non-Dependabot PRs [3]. ByteBuddy alone has been upgraded 8 times, meaning 2–3 updates per release, even though it’s not a runtime dependency. I absolutely understand the need to regularly upgrade *runtime* dependencies so we can test them and provide feedback upstream (often within Commons itself). I also see the value in verifying updates to the build system (`commons-parent`), although I’m still unsure why we need 14 `commons-parent` releases per year, but that’s a separate issue. Given all this, I fully support upgrading dependencies on a roughly 3-month schedule. That seems like a reasonable balance that reduces the overall noise-to-signal ratio to something closer to 50% or below. Piotr [1] https://lists.apache.org/thread/84594nym6yv9od570olpd46x668lssr7 [2] https://github.com/apache/commons-io/pulls?q=is%3Apr+created%3A%3E2025-01-01+author%3Adependabot[bot] [3] https://github.com/apache/commons-io/pulls?q=is%3Apr+created%3A%3E2025-01-01+-author%3Adependabot%5Bbot%5D+ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
