You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@skywalking.apache.org by Sheng Wu <wu...@gmail.com> on 2022/04/05 12:03:38 UTC
[Recommendation] Bump up dependencies versions manually
Hi Team
According to the notifications from ASF INFRA, they activated the
dependencies check bot for all repositories. This afternoon(UTC+8), we
received PRs(#8806 <https://github.com/apache/skywalking/pull/8806> #8807
<https://github.com/apache/skywalking/pull/8807> #8808
<https://github.com/apache/skywalking/pull/8808> #8809
<https://github.com/apache/skywalking/pull/8809> #8810
<https://github.com/apache/skywalking/pull/8810>) from this robot. I have
closed all of them, but manually use mine[1] to take the action.
First, it is good we could have a robot to check this in case we missed any
CVE relative fixes in our dependencies. But also, we should be careful, and
more serious when we try to bump up versions.
1. We should take care of the License(binary one) matching with version
changes.
2. Make sure we have enough tests(e2e or manual tests) to make sure these
new versions are good.
So, I recommend all committers would manually bump up versions, and only
take the robot's PR as a notification, rather than a code contribution.
[1] https://github.com/apache/skywalking/pull/8811
Sheng Wu 吴晟
Twitter, wusheng1108
Re: [Recommendation] Bump up dependencies versions manually
Posted by Jiajie Zhong <zh...@gmail.com>.
Good suggestion and thanks Calvin,
On Tue, Apr 5, 2022 at 9:47 PM CalvinKirs <ac...@163.com> wrote:
>
>
>
> CC
> We should do the same.
> Here is the PR[1] created
> [1] https://github.com/apache/dolphinscheduler/labels/dependencies
>
>
> Best wishes!
> Calvin Kirs
>
>
> On 04/5/2022 20:03,Sheng Wu<wu...@gmail.com> wrote:
> Hi Team
>
> According to the notifications from ASF INFRA, they activated the
> dependencies check bot for all repositories. This afternoon(UTC+8), we
> received PRs(#8806 <https://github.com/apache/skywalking/pull/8806> #8807
> <https://github.com/apache/skywalking/pull/8807> #8808
> <https://github.com/apache/skywalking/pull/8808> #8809
> <https://github.com/apache/skywalking/pull/8809> #8810
> <https://github.com/apache/skywalking/pull/8810>) from this robot. I have
> closed all of them, but manually use mine[1] to take the action.
>
> First, it is good we could have a robot to check this in case we missed any
> CVE relative fixes in our dependencies. But also, we should be careful, and
> more serious when we try to bump up versions.
> 1. We should take care of the License(binary one) matching with version
> changes.
> 2. Make sure we have enough tests(e2e or manual tests) to make sure these
> new versions are good.
>
> So, I recommend all committers would manually bump up versions, and only
> take the robot's PR as a notification, rather than a code contribution.
>
> [1] https://github.com/apache/skywalking/pull/8811
>
> Sheng Wu 吴晟
> Twitter, wusheng1108
--
Best Wish
— Jiajie
Re:[Recommendation] Bump up dependencies versions manually
Posted by CalvinKirs <ac...@163.com>.
CC
We should do the same.
Here is the PR[1] created
[1] https://github.com/apache/dolphinscheduler/labels/dependencies
Best wishes!
Calvin Kirs
On 04/5/2022 20:03,Sheng Wu<wu...@gmail.com> wrote:
Hi Team
According to the notifications from ASF INFRA, they activated the
dependencies check bot for all repositories. This afternoon(UTC+8), we
received PRs(#8806 <https://github.com/apache/skywalking/pull/8806> #8807
<https://github.com/apache/skywalking/pull/8807> #8808
<https://github.com/apache/skywalking/pull/8808> #8809
<https://github.com/apache/skywalking/pull/8809> #8810
<https://github.com/apache/skywalking/pull/8810>) from this robot. I have
closed all of them, but manually use mine[1] to take the action.
First, it is good we could have a robot to check this in case we missed any
CVE relative fixes in our dependencies. But also, we should be careful, and
more serious when we try to bump up versions.
1. We should take care of the License(binary one) matching with version
changes.
2. Make sure we have enough tests(e2e or manual tests) to make sure these
new versions are good.
So, I recommend all committers would manually bump up versions, and only
take the robot's PR as a notification, rather than a code contribution.
[1] https://github.com/apache/skywalking/pull/8811
Sheng Wu 吴晟
Twitter, wusheng1108