Hi everyone, As part of our efforts to externalize connectors, I've also been in contact with the ASF to ask if it's possible to enable the Dependabot functionality of Github. It was previously possible to only enable the notification feature of Dependabot (which notifies you if there's a security vulnerability for one of your dependencies), but not the feature that automatically creates PR to update such a dependency. That was because Dependabot creates new branches in the repository itself.
After consultation with ASF Legal [1] and ASF Infra [2] it has been concluded that all Dependabot features (including the automatic PR creation) are allowed. I was under the impression that the ASF would only enable this functionality first for the repository that I've requested, but ASF Infra has decided to enable Dependabot for the entire Apache foundation, including all Flink repositories. That's why you now see Dependabot create PRs also in the main Flink repo. Most likely the PRs will fail on the CI pipeline, because they only update the dependency. So version updates aren't done in NOTICE files, causing the license checker to fail. Next to that, a dependency update can also include breaking changes which require more than just a version bump. Do note that even though PRs are created, we still need to follow the Jira process for these types of PRs as far as I'm aware. So that means you need to create a Jira ticket, make sure the commit message is correct etc, everything that's agreed in the Flink Code Contribution Guide. Best regards, Martijn Visser https://twitter.com/MartijnVisser82 https://github.com/MartijnVisser [1] https://issues.apache.org/jira/browse/LEGAL-589 [2] https://issues.apache.org/jira/browse/INFRA-22646
