> > What if latest versions of libraries have vulnerabilities or bugs or > instabilities that have yet to be uncovered >
So by not upgrading to the latest version - you are making the choice to purposefully avoid known bug fixes and improvements as well. I don't think any library makes a release on purpose that doesn't address any bugs or fixes that could be useful. Solrbot is aggressively opening dependency upgrade PRs > Aggressively is an interesting characterization. Factually PRs are being opened on a configurable basis that includes different frequencies for more often upgraded dependencies (ie: AWS sdk). The PRs are opened so that there is a lag and its not immediate for new versions. The more frequently we upgrade the easier it is to spot issues and problems. Our randomized tests need time to go through different combinations of libraries. So I am 100% for the approach so far. Kevin Risden On Sun, Apr 2, 2023 at 12:04 AM Ishan Chattopadhyaya < ichattopadhy...@gmail.com> wrote: > Solrbot is aggressively opening dependency upgrade PRs. I think the general > direction we're heading towards is to upgrade all dependency to the latest > available versions. > > Should we pause to rethink if that's the best idea? What if latest versions > of libraries have vulnerabilities or bugs or instabilities that have yet to > be uncovered? By letting other projects use them first, and by being > conservative in upgrading, we can ensure better stability and reliability > for our releases. > > As a search engine, we don't need to upgrade each and every library at the > earliest opportunity all the time. > > Any thoughts? >
