Good suggestion and thanks Calvin, On Tue, Apr 5, 2022 at 9:47 PM CalvinKirs <[email protected]> wrote: > > > > CC > We should do the same. > Here is the PR[1] created > [1] https://github.com/apache/dolphinscheduler/labels/dependencies > > > Best wishes! > Calvin Kirs > > > On 04/5/2022 20:03,Sheng Wu<[email protected]> wrote: > Hi Team > > According to the notifications from ASF INFRA, they activated the > dependencies check bot for all repositories. This afternoon(UTC+8), we > received PRs(#8806 <https://github.com/apache/skywalking/pull/8806> #8807 > <https://github.com/apache/skywalking/pull/8807> #8808 > <https://github.com/apache/skywalking/pull/8808> #8809 > <https://github.com/apache/skywalking/pull/8809> #8810 > <https://github.com/apache/skywalking/pull/8810>) from this robot. I have > closed all of them, but manually use mine[1] to take the action. > > First, it is good we could have a robot to check this in case we missed any > CVE relative fixes in our dependencies. But also, we should be careful, and > more serious when we try to bump up versions. > 1. We should take care of the License(binary one) matching with version > changes. > 2. Make sure we have enough tests(e2e or manual tests) to make sure these > new versions are good. > > So, I recommend all committers would manually bump up versions, and only > take the robot's PR as a notification, rather than a code contribution. > > [1] https://github.com/apache/skywalking/pull/8811 > > Sheng Wu 吴晟 > Twitter, wusheng1108
-- Best Wish — Jiajie
