Since before my involvement as a core maintainer, we have apparently had a policy to "only update detached plugins when we are forced to, for example because there was a security advisory," and to run LoadDetachedPluginsTest#noUpdateSiteWarnings when updating them. This policy predates my involvement as a core maintainer, and when it was introduced to me the reasoning behind it was not explicitly stated.
In recent years a few things have changed. First, we have seen an increased need to update libraries to satisfy security scanners, even when the old versions are not exploitable in Jenkins. Second, Dependabot is now proposing updates to these detached plugins, and ignoring these updates results in stagnant PRs. Third, we have occasionally seen a need to mitigate the impact of JENKINS-69361. Since 2022 I have been regularly updating detached plugins, justified as an exception to the usual policy in order to mitigate the impact of JENKINS-69361. At this point in 2024, the exception has become the rule, so I would like to propose a change in policy to update detached plugins as the Dependabot PRs come in, for the reasons given in the preceding paragraph. Since manually running LoadDetachedPluginsTest#noUpdateSiteWarnings for each Dependabot PR is a nuisance, I would also like to propose that we drop the requirement for running this test or that we enable the test by default, accepting in the latter case that it will cause some friction during the small window of time after a security advisory marks a plugin release as vulnerable but before the relevant Dependabot PR(s) is/are picked up. The main issue regarding updating detached plugins, if I recall correctly, was that this may (possibly?) limit users' ability to downgrade these plugins below the version that we bundle. I am not sure if this claim was ever verified. If this claim is verified, either by a user reporting the inability to downgrade such a plugin, or by manual testing, then I could possibly be fine with retaining the existing policy but disabling Dependabot updates to detached plugins to reduce PR noise. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAFwNDjpd4XsQfQ49PfYU2EdmGrWGUiXKj0PJTV32CnpSAmNENA%40mail.gmail.com.
