Hi Team According to the notifications from ASF INFRA, they activated the dependencies check bot for all repositories. This afternoon(UTC+8), we received PRs(#8806 <https://github.com/apache/skywalking/pull/8806> #8807 <https://github.com/apache/skywalking/pull/8807> #8808 <https://github.com/apache/skywalking/pull/8808> #8809 <https://github.com/apache/skywalking/pull/8809> #8810 <https://github.com/apache/skywalking/pull/8810>) from this robot. I have closed all of them, but manually use mine[1] to take the action.
First, it is good we could have a robot to check this in case we missed any CVE relative fixes in our dependencies. But also, we should be careful, and more serious when we try to bump up versions. 1. We should take care of the License(binary one) matching with version changes. 2. Make sure we have enough tests(e2e or manual tests) to make sure these new versions are good. So, I recommend all committers would manually bump up versions, and only take the robot's PR as a notification, rather than a code contribution. [1] https://github.com/apache/skywalking/pull/8811 Sheng Wu 吴晟 Twitter, wusheng1108
