You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@johnzon.apache.org by GitBox <gi...@apache.org> on 2020/12/28 07:45:54 UTC

[GitHub] [johnzon] rmannibucau commented on pull request #64: enable Dependabot v2

rmannibucau commented on pull request #64:
URL: https://github.com/apache/johnzon/pull/64#issuecomment-751618625


   Hi,
   
   I'm personally not that moivated by dependabot for these reasons:
   
   1. johnzon is a fully asf project where we control and do all dependencies so each time we do a new one we upgrade it as well so dependabot will just be late in general
   2. dependabot has too much false positive
   3. dependabot does not handle libraries properly and tries to enforce upgrades when it shouldnt (upgrade a spec version whereas the lib must stay compatible with an older one is a common one)
   4. from other ASF project which activated it I can say it makes a lot of noise which is not compensated by a real gain - in particular for the kind of project johnzon is, it is different for camel for example
   
   What do others think?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org