Does the dependabot see difference between test and runtime
dependencies? If it doesn't is there any other tool which does?
While I agree with Elliotte that each dependency requires some care and
comes at the cost, I tend to stay reasonable about junit (and other test
deps) versions. While they get vulnerable, with ephemeral build
environments, exposure is fairly constrained, so they are not first nor
second priority to take care about.
Best,
Łukasz
On 7/21/25 22:22, Matthias Bünger wrote:
It doesn't change the effort. It even adds one more project to update -
the one of the parent on top of the projects wher the partent needs to
get updated...
Am 21.07.2025 um 19:47 schrieb Andy Law:
As more of a wider question, why would this not be specified in the
Parent POM if it were adopted as an “approved” dependency?
Later,
Andy
From: Matthias Bünger <mbuen...@apache.org>
Date: Monday, 21 July 2025 at 18:40
To: dev@maven.apache.org <dev@maven.apache.org>
Subject: Re: The use of AssertJ assertions
Hi all,
while I really like the AssertJ assertions, e.g. for readibility and
expandability (custom assertions), I'm slighty against using it in a big
project like Maven (thinking of core, plugins, components) cause of the
time it takes to keep the dependncy up to date - we have about 100
repositories! AssertJ is, like JUnit, a dependency which gets updates
quite often. Appliying them (even with the help of dependabot) take a
lot of time. Since I'm a commiter, a lot of time of the time I spent for
Maven, I spent on doing dependency updates.
So see this as a -0 (nb).
Matthias
Am 21.07.2025 um 06:50 schrieb Giovanni van der Schelde:
Hi all,
In a recent PR review, the use of AssertJ assertions was raised as a
point
of discussion.
To avoid recurring debates and ensure the PR is reviewed for the changes
it provides, I’d like to propose that we clarify the goal regarding
this,
and perhaps other, dependencies.
Specifically, should we:
- Remove the AssertJ dependency entirely to prevent its use?
- State that we support the dependency and accept its use in our tests?
Having a clear stance on this would help streamline code reviews and
avoid
repeated discussions on future PRs.
Perhaps there are already some guidelines on this which I'm unaware
of, so
I'm looking forward to your input.
Regards,
Giovanni van der Schelde
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336. Is e buidheann
carthannais a th’ ann an Oilthigh Dhùn Èideann, clàraichte an Alba,
àireamh clàraidh SC005336.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
