The only thing I think I would add is that perhaps we should think of things in terms of upgrading our direct dependencies. That ensures the proper testing at the preceding levels. Updates of transitive deps are somewhat more risky, though justifiable if there is a valid security concern such as log4shell or similar of course.
On Mon, Apr 3, 2023 at 10:47 AM Houston Putman <hous...@apache.org> wrote: > I agree with Jason and Kevin that it's better to err on the side of > updating dependencies faster than updating them slower. > > We have (hopefully) comprehensive testing for a lot of the features that > these dependencies are used for, and as Jason said we have ultimate > discretion in merging. > > In general I'm surprised these libraries have so many updates, I was not > imagining that we'd get a dozen updates a week. > > - Houston > > On Mon, Apr 3, 2023 at 9:01 AM Jason Gerlowski <gerlowsk...@gmail.com> > wrote: > > > Hi all, > > > > New releases of dependencies can introduce new bugs for sure. But I > > think the rationale is generally that on the whole, a new release of > > dependency Foo is going to fix more than it breaks (otherwise why > > would the Foo project have done the release). > > > > Particularly since we still have discretion in merging (or ignoring) > > these PRs, configuring their frequency, etc. I don't have any > > objections with how things are done currently. > > > > Best, > > > > Jason > > > > On Sun, Apr 2, 2023 at 1:04 AM Kevin Risden <kris...@apache.org> wrote: > > > > > > > > > > > What if latest versions of libraries have vulnerabilities or bugs or > > > > instabilities that have yet to be uncovered > > > > > > > > > > So by not upgrading to the latest version - you are making the choice > to > > > purposefully avoid known bug fixes and improvements as well. I don't > > think > > > any library makes a release on purpose that doesn't address any bugs or > > > fixes that could be useful. > > > > > > Solrbot is aggressively opening dependency upgrade PRs > > > > > > > > > > Aggressively is an interesting characterization. Factually PRs are > being > > > opened on a configurable basis that includes different frequencies for > > more > > > often upgraded dependencies (ie: AWS sdk). The PRs are opened so that > > there > > > is a lag and its not immediate for new versions. > > > > > > The more frequently we upgrade the easier it is to spot issues and > > > problems. Our randomized tests need time to go through different > > > combinations of libraries. > > > > > > So I am 100% for the approach so far. > > > > > > Kevin Risden > > > > > > > > > On Sun, Apr 2, 2023 at 12:04 AM Ishan Chattopadhyaya < > > > ichattopadhy...@gmail.com> wrote: > > > > > > > Solrbot is aggressively opening dependency upgrade PRs. I think the > > general > > > > direction we're heading towards is to upgrade all dependency to the > > latest > > > > available versions. > > > > > > > > Should we pause to rethink if that's the best idea? What if latest > > versions > > > > of libraries have vulnerabilities or bugs or instabilities that have > > yet to > > > > be uncovered? By letting other projects use them first, and by being > > > > conservative in upgrading, we can ensure better stability and > > reliability > > > > for our releases. > > > > > > > > As a search engine, we don't need to upgrade each and every library > at > > the > > > > earliest opportunity all the time. > > > > > > > > Any thoughts? > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org > > For additional commands, e-mail: dev-h...@solr.apache.org > > > > > -- http://www.needhamsoftware.com (work) http://www.the111shift.com (play)
