epugh commented on PR #1230: URL: https://github.com/apache/solr/pull/1230#issuecomment-1345262013
> LGTM. No-brainer I suppose, being a patch release. > > New deps cannot “sneak” in unless a human adds License/Notice files manually. But if a new jetty includes a new jetty jar due to a split or something, then it will be covered by existing license file, and if the dep is optional we’d likely want to vet whether we need it or not. > > Btw, I’be been testing Renovatebot on our repo for automated dependency PRs. Looks promising (after implementing a parser for consistent-versions plug-in first that is). Going to propose it on the dev list soon. Would you be supportive? anything that helps with reducing housekeeping and keeps us closer to the latest and greatest sounds good to me. I suspect that making it easier to stay up to date would reduce the frequency of CVE reports we get as well ;-). I know that I have found in stewarding Quepid that falling behind makes the eventual upgrade that much harder... -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org
