CurtHagenlocher commented on issue #42: URL: https://github.com/apache/arrow-dotnet/issues/42#issuecomment-3283460857
I have mixed feelings. At some point, I committed a Dependabot-recommended change for System.Memory, System.Buffers and a bunch of other system packages and I definitely regret having done that. But there's also cases like System.CommandLine where we currently depend on a beta version of the package and should probably update it to a final version -- to say nothing of cases where there might be security fixes in a dependency. My current thinking is that Dependabot is helpful in pointing out new versions of dependencies, but approving them should be done conservatively and on a case-by-case basis. The push notification we get from Dependabot is better than having to manually poll dependencies to see what's changed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@arrow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
