There's been some extra discussion this PR: https://github.com/apache/druid/pull/11079
I just +1'ed it, but I wanted to come back here to say that IMO, we should avoid getting in the habit of blindly applying these updates without testing. There's been lots of situations in the past where a harmless-looking dependency upgrade broke something. Sometimes the new dependency version had a regression in it, and sometimes even without regressions it can introduce compatibility problems. So, I think it'd be good to apply the updates when we're confident in our ability to test them, and add ignores (or tests!) for the rest. On Thu, Apr 8, 2021 at 12:35 PM Xavier Léauté <xav...@confluent.io.invalid> wrote: > Thanks Maytas, I asked in that thread. They seemed concerned about write > access requested by dependabot, > but that should no longer be required as far as I can tell, now that it is > natively integrated into GitHub. > It should only be a matter of adding the config file to the repo, similar > to what we do to automate closing stale issues / PR. > > On Tue, Apr 6, 2021 at 2:50 PM Maytas Monsereenusorn <mayt...@apache.org> > wrote: > > > I remember seeing someone asked about Dependabot in asfinfra slack > channel > > a few weeks ago. However, asfinfra said they cannot allow it. > > Here is the link: > > https://the-asf.slack.com/archives/CBX4TSBQ8/p1616539376210800 > > I think this is the same as Github's dependabot. > > > > Best Regards, > > Maytas > > > > > > On Tue, Apr 6, 2021 at 2:37 PM Xavier Léauté <x...@apache.org> wrote: > > > > > Hi folks, as you know Druid has a lot of dependencies, and keeping up > > with > > > the latest versions of everything, whether it relates to fixing CVEs or > > > other improvements is a lot of manual work. > > > > > > I suggest we enable Github's dependabot in our repository to keep our > > > dependencies up to date. The bot is also helpful in providing a short > > > commit log summary to understand changes. > > > This might yield a flurry of PRs initially, but we can configure it to > > > exclude libraries or version ranges that we know are unsafe for us to > > > upgrade to. > > > > > > It looks like some other ASF repos have this enabled already (see > > > https://github.com/apache/commons-imaging/pull/126), so hopefully this > > > only > > > requires filing an INFRA ticket. > > > > > > Happy to take care of it if folks are on board. > > > > > > Thanks! > > > Xavier > > > > > >
