There's been this increase of software supply chain hacks these days. Since this bot is on our ongoing development branch, and so long as we watch these changes and verify the dependencies it chooses before merging these PRs, then this makes this version updating an incremental effort done as things come along. We would inspect and merge the pull requests individually. That's far better than the hated job to do this in bulk and verify just before a release. I like the notion that these updates occur as early as possible, so developers get experience with the new versions over time.
I very much like that they're one library at a time per pull request. Bite sized unit of work. ________________________________ From: Steve Lawrence <slawre...@apache.org> Sent: Thursday, March 4, 2021 1:10 PM To: dev@daffodil.apache.org <dev@daffodil.apache.org> Subject: Scala Steward for dependency updates? I just stumbled across Scala Steward [1]. From their website, "Scala Steward is a bot that helps you keep library dependencies and sbt plugins up-to-date." This bot periodical checks to see if there are any newer versions of dependencies, and if detected will create a pull request to update that dependency in the project/Dependencies.scala file. I've enabled it on my fork as a test, and it just created a bunch of pull requests, so you can see what it looks like at my fork: https://github.com/stevedlawrence/daffodil/pulls The benefit here is we can rely on this bot to keep our deps updated so we don't fall behind, and can rely on our GitHub actions to test if anything breaks for a particular dependency. So much of the process becomes automated. Some parts are still manual, like checking that the license for the dependency hasn't changed, and updating the bin.NOTICE file which mentions library versions, so there's still some work. But it it at least automates part of the process. It also has a config file if needed to do things like pin certain dependencies to a version if needed, configure pull request messages, etc. My fork above just uses the default configuration. If we do want to enable this, all we need to do is create a pull request to add "apache/daffodil" to to scala steward repo's file--pretty simple change. Thoughts? [1] https://github.com/scala-steward-org/scala-steward
