epugh commented on PR #20: URL: https://github.com/apache/solr-orbit/pull/20#issuecomment-4534910278
I am on the fence on this. we (and of course other open soruce porjects) need to figure otu a better way to handle the dependency grind. For this repo, I actually don't see/know that we need to have release artifacts.. I think "git clone" is perfectly fine way of delivering this code. Secondly, I think a very periodic and manual update is fine. No one is deploying this code in "production", so the CVE etc is much less important. Lastly, I hade when we get a dependency with lots of small releases, and we just get a million PR's for it. I would maybe care less if dependabot could open 1 PR a month with ALL the updates needed in that month. A quick visual check, and merge. 12 a year would be a perfectly nice number. That approach is what I've started doing on Quepid. I don't need a ton of indificual PR's, I just do a yarn update or gem update, and then run all the tests, and yep, all good. I also DO know which dependencies are more prone to a breaking change, and then treat those seperately. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
