Hi Eric, We enable the dependabot only to solve the problem that developers cannot discover and fix CVE vulnerabilities in time.
At first, we wanted to enable dependabot through [1], so that we can only update the dependencies related to security vulnerability fixes. But for the Apache repos, we can??t set the dependabot through [1] (or maybe we can apply to the Infra), so we finally enabled the dependabot through [2]. Of course, the shortcomings of enabling the dependabot through [2] are obvious: we are using the version-update strategy and we don??t know whether the update is related to a CVE vulnerability fix. > It's not wise to use latest version in a production system always, especially > a database. I think stable is important than latest. I do agree with you. Stability is more important. > Can we leave the decision of when, why and whether to update the dependency > to our developers, not a bot? What do you think? The dependabot is only responsible for submitting a PR when a new release is found, whether the PR needs to be merged is up to our developers. Perhaps we should discuss when our developers should merge these PRs. For me, the following two types of PRs from the dependabot are acceptable: 1. Confirmed to be related to CVE vulnerability fixes 2. Minor version upgrades, such as 1.0.0 to 1.0.2 Thanks, Steve Su Tsinghua University [1] https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/configuring-dependabot-security-updates [2] https://github.com/apache/iotdb/pull/4097 ------------------ Original ------------------ From: "dev" <[email protected]>; Date: Wed, Oct 13, 2021 10:50 AM To: "[email protected]"<[email protected]>; Subject: Is it safe to use depedabot to update the dependency libs Hi, all, I saw this JIRA https://issues.apache.org/jira/browse/IOTDB-1818 had been finished without any discussions. But I still have some questions about the daily dependency update mechanism. According to the introduction https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates, the update of any dependency happens when 1. Security updates: The current version is vulnerable. 2. Version updates: A new version has been released, no matter whether it's vulnerable or not. Which update strategy do we use now? From the day the issue closed to now I have seen so many dependencies have been updated, which are not all security issues. So I guess we use version updates strategy. However, we can't trust any latest version of every dependency unless we have proved that it's stable and safe. For example, if a dependency released a new version 1.2.0, which has a former version 1.1.x, but 1.2.0 has broken the backward compatibility, our build may be broken. We should know that the semantic version is just an agreement, not a constriction. The bot can't guarantee this mess will not happen. What was worse, if the new version has some internal bugs, and the owner of the dependency can't give a fix release in time, we should spend more works to fix the issues, or downgrade to a stable one. It's not wise to use latest version in a production system always, especially a database. I think stable is important than latest. Can we leave the decision of when, why and whether to update the dependency to our developers, not a bot? What do you think? Thanks.
