jclouds-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fritz Elfert <fr...@fritz-elfert.de>
Subject Re: enable dependabot on jclouds github repo(s)?
Date Thu, 18 Mar 2021 15:07:35 GMT
On 18.03.21 15:38, Andrew Gaul wrote:
> On Thu, Mar 18, 2021 at 02:21:57PM +0100, Fritz Elfert wrote:
>> On 18.03.21 12:14, Andrew Gaul wrote:
>>> This is something we could experiment with although there are more
>>> considerations for upgrading dependencies than simply getting the latest
>>> version, as the recent thread about Guava and Guice demonstrates.  My
>>> experience with these automatic tools is that they work better for
>>> applications than frameworks.  We would also want to align with other
>>> Apache projects -- do we have some similar infrastructure already?
>>
>> dependabot is NOT about simply getting the latest version, but about security vulnerabilities.
>>
>> For example im my fork of jclouds at https://github.com/felfert/jclouds I can see
>> two warnings (only the owner of the repository sees those). For each warning, I also
got an email.
>> In addition, dependabot has created a PR for updating jetty. (The other vulnerability
does not have a fix yet.)
>> Ok, in this case (jetty being used for tests only) it could be neglected, but I have
seen several merged PRs
>> by dependabot in jenkins. Given that it is only visible to repo-owners and is really
non-intrusive it should
>> not hurt to switch this on and see if it proves useful.
> 
> [I notice you only replied to me individually.  I would prefer to take
> this thread back on-group if you reply to me.]
That was not intentional - I just hit the wrong reply-key, sorry. (Replying to the group now).

> 
> I understand that dependabot has value, even if you ignore or close the
> PR, but libraries like jclouds have other considerations.  Before
> jclouds 2.3.0 we maintained compatibility with Java 7 which meant that
> many suggested dependency upgrades were not valid.  We can debate the
> merits of that policy but it is easy to see how upgrades to Guava,
> Guice, and other dependencies break some user or another.
> 
> Again, I am happy to experiment with this.   But Aligning with the
> overall Apache project and reducing dependencies remain priorities.
> 
Understood
  -Fritz

Mime
View raw message