Le sam. 15 nov. 2025 à 22:34, Emmanuel Bourg <[email protected]> a écrit : > > On 15/11/2025 22:22, Piotr P. Karwasz wrote: > > Hi Gary, > > > > On 15.11.2025 19:12, Gary Gregory wrote: > >> -1 I please that's a component that I am actively maintaining and > >> releasing. > > > > I’m with Sebb on this one (see [1]). > > > > While Commons IO does have releases every 3–4 months, this year we’ve > > seen 71 Dependabot PRs [2] compared to 32 non-Dependabot PRs [3]. > > ByteBuddy alone has been upgraded 8 times, meaning 2–3 updates per > > release, even though it’s not a runtime dependency. > > > > I absolutely understand the need to regularly upgrade *runtime* > > dependencies so we can test them and provide feedback upstream (often > > within Commons itself). I also see the value in verifying updates to the > > build system (`commons-parent`), although I’m still unsure why > > we need 14 `commons-parent` releases per year, but that’s a separate issue. > > > > Given all this, I fully support upgrading dependencies on a roughly > > 3-month schedule. That seems like a reasonable balance that reduces the > > overall noise-to-signal ratio to something closer to 50% or below. > > +1 as well, the flood of dependabot PRs has to be regulated. It's not a > code change but a process decision, vetos do not apply in this case. >
FWIW: I mentioned the "flood" the day it started (without anyone here being asked if they were OK with that major change). The complaint was turned down, and so was the remark that in "release notes" the number of so-called changes made by such "bots" largely outnumbered the real changes. I thus started to filter out all "dependabot"-related messages. If other people did the same, it just decreased the "number of eyes" looking at commits (with or without ill consequences wrt security). Gilles --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
