Hi all,
Recently, I opened 2 PRs about removing an unused library[1] and bumping
various libraries[2]. I noticed that many dependencies of calcite are
outdated. To address this issue, I suggest enabling dependabot[3] to
automatically open "bump dependency" PRs and make calcite healthier.
If we en
Hi, Hongyu.
Your idea is great and you also introduced the steps to use it.
We need more feedback about benefits and risks from calcite users.
# What are the benefits?
- Quickly fix dependency vulnerabilities.
- Balancing the workload of each upgrade(Not 4.0 to 7.x).
- ...
# What are the risks?
I agree that we should be trying to stay on the most recent version of
our dependencies (with a few exceptions, such as JavaCC). Most of our
dependencies are mature libraries, and the latest version is more
likely to fix security problems than to introduce bugs.
However, I'm not sure that Dependab
Perhaps refreshVersions [1] can be used.
[1] https://splitties.github.io/refreshVersions/
On 6/11/2023 7:54 am, Julian Hyde wrote:
I agree that we should be trying to stay on the most recent version of
our dependencies (with a few exceptions, such as JavaCC). Most of our
dependencies are mature
Upgrading dependencies is an important topic thanks for starting the
discussion Hongyu.
In terms of tooling, my experience with Dependabot in Apache Hive is
rather negative. Out of 52 PRs [1] raised by the bot 34 [2] are
failing the build/tests. In most cases committers do not follow-up to
resolve
To remove some of the friction, we could setup schedule to monthly:
https://docs.github.com/fr/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval
this would remove the noise, but have a checkpoint where we can bump
dependencies
O