Here's a running list of PRs opened by the dependabot: https://github.com/apache/druid/pulls?q=is%3Apr+author%3Aapp%2Fdependabot
On Mon, Jun 7, 2021 at 12:22 PM Gian Merlino <g...@apache.org> wrote: > There's been some extra discussion this PR: > https://github.com/apache/druid/pull/11079 > > I just +1'ed it, but I wanted to come back here to say that IMO, we should > avoid getting in the habit of blindly applying these updates without > testing. There's been lots of situations in the past where a > harmless-looking dependency upgrade broke something. Sometimes the new > dependency version had a regression in it, and sometimes even without > regressions it can introduce compatibility problems. > > So, I think it'd be good to apply the updates when we're confident in our > ability to test them, and add ignores (or tests!) for the rest. > > On Thu, Apr 8, 2021 at 12:35 PM Xavier Léauté <xav...@confluent.io.invalid> > wrote: > >> Thanks Maytas, I asked in that thread. They seemed concerned about write >> access requested by dependabot, >> but that should no longer be required as far as I can tell, now that it is >> natively integrated into GitHub. >> It should only be a matter of adding the config file to the repo, similar >> to what we do to automate closing stale issues / PR. >> >> On Tue, Apr 6, 2021 at 2:50 PM Maytas Monsereenusorn <mayt...@apache.org> >> wrote: >> >> > I remember seeing someone asked about Dependabot in asfinfra slack >> channel >> > a few weeks ago. However, asfinfra said they cannot allow it. >> > Here is the link: >> > https://the-asf.slack.com/archives/CBX4TSBQ8/p1616539376210800 >> > I think this is the same as Github's dependabot. >> > >> > Best Regards, >> > Maytas >> > >> > >> > On Tue, Apr 6, 2021 at 2:37 PM Xavier Léauté <x...@apache.org> wrote: >> > >> > > Hi folks, as you know Druid has a lot of dependencies, and keeping up >> > with >> > > the latest versions of everything, whether it relates to fixing CVEs >> or >> > > other improvements is a lot of manual work. >> > > >> > > I suggest we enable Github's dependabot in our repository to keep our >> > > dependencies up to date. The bot is also helpful in providing a short >> > > commit log summary to understand changes. >> > > This might yield a flurry of PRs initially, but we can configure it to >> > > exclude libraries or version ranges that we know are unsafe for us to >> > > upgrade to. >> > > >> > > It looks like some other ASF repos have this enabled already (see >> > > https://github.com/apache/commons-imaging/pull/126), so hopefully >> this >> > > only >> > > requires filing an INFRA ticket. >> > > >> > > Happy to take care of it if folks are on board. >> > > >> > > Thanks! >> > > Xavier >> > > >> > >> >
