Hi, all, I saw this JIRA https://issues.apache.org/jira/browse/IOTDB-1818 had been finished without any discussions. But I still have some questions about the daily dependency update mechanism.
According to the introduction https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates, the update of any dependency happens when 1. 1. Security updates: The current version is vulnerable. 2. 2. Version updates: A new version has been released, no matter whether it's vulnerable or not. Which update strategy do we use now? From the day the issue closed to now I have seen so many dependencies have been updated, which are not all security issues. So I guess we use version updates strategy. However, we can't trust any latest version of every dependency unless we have proved that it's stable and safe. For example, if a dependency released a new version 1.2.0, which has a former version 1.1.x, but 1.2.0 has broken the backward compatibility, our build may be broken. We should know that the semantic version is just an agreement, not a constriction. The bot can't guarantee this mess will not happen. What was worse, if the new version has some internal bugs, and the owner of the dependency can't give a fix release in time, we should spend more works to fix the issues, or downgrade to a stable one. It's not wise to use latest version in a production system always, especially a database. I think stable is important than latest. Can we leave the decision of when, why and whether to update the dependency to our developers, not a bot? What do you think? Thanks. 3.
