You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@daffodil.apache.org by GitBox <gi...@apache.org> on 2022/07/15 01:20:12 UTC

[GitHub] [daffodil-vscode] dependabot[bot] opened a new pull request, #225: Bump actions/setup-node from 3.3.0 to 3.4.1

dependabot[bot] opened a new pull request, #225:
URL: https://github.com/apache/daffodil-vscode/pull/225

   Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3.3.0 to 3.4.1.
   <details>
   <summary>Release notes</summary>
   <p><em>Sourced from <a href="https://github.com/actions/setup-node/releases">actions/setup-node's releases</a>.</em></p>
   <blockquote>
   <h2>Fix pnpm output and node-version  output issues</h2>
   <p>In scope of this release we fixed bugs related to the pnpm 7.5.1 output issue from <code>pnpm store path</code> <a href="https://github-redirect.dependabot.com/actions/setup-node/pull/545">actions/setup-node#545</a>. Moreover we fixed the issue with falling on node-version output <a href="https://github-redirect.dependabot.com/actions/setup-node/pull/540">actions/setup-node#540</a>.</p>
   <h2>Add support for asdf format and update actions/cache version to 3.0.0</h2>
   <p>In scope of this release we updated <code>actions/cache</code> package as the new version contains fixes for <a href="https://github-redirect.dependabot.com/actions/setup-node/pull/526">caching error handling</a>. Moreover, we added support for asdf format as Node.js version file <a href="https://github-redirect.dependabot.com/actions/setup-node/pull/373">actions/setup-node#373</a>. Besides, we introduced new output <a href="https://github-redirect.dependabot.com/actions/setup-node/pull/534">node-version</a> and added <code>npm-shrinkwrap.json</code> to dependency file patterns: <a href="https://github-redirect.dependabot.com/actions/setup-node/pull/439">actions/setup-node#439</a></p>
   </blockquote>
   </details>
   <details>
   <summary>Commits</summary>
   <ul>
   <li><a href="https://github.com/actions/setup-node/commit/2fddd8803e2f5c9604345a0b591c3020ee971a93"><code>2fddd88</code></a> fixing pnpm output issue (<a href="https://github-redirect.dependabot.com/actions/setup-node/issues/545">#545</a>)</li>
   <li><a href="https://github.com/actions/setup-node/commit/ad8542ca5eddfadd434c12500073d0cfe51ca1c7"><code>ad8542c</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/actions/setup-node/issues/540">#540</a> from dmitry-shibanov/fix-error-node-version</li>
   <li><a href="https://github.com/actions/setup-node/commit/3d11add77113802f5dc907ae13379fa7ffdcd839"><code>3d11add</code></a> remove unused import</li>
   <li><a href="https://github.com/actions/setup-node/commit/072a2e3b100f5d9394c602616700b044ce5e72f8"><code>072a2e3</code></a> add trim and silent true</li>
   <li><a href="https://github.com/actions/setup-node/commit/28ad38fe0624edc69ffde19aa0a6b8be0573641f"><code>28ad38f</code></a> add try catch</li>
   <li><a href="https://github.com/actions/setup-node/commit/48de4c13f6f686eebe0d350838793fffd4421b26"><code>48de4c1</code></a> change to streams</li>
   <li><a href="https://github.com/actions/setup-node/commit/aab7cc882a63a6e74f0d36e92552d03d190d4e7e"><code>aab7cc8</code></a> add silent</li>
   <li><a href="https://github.com/actions/setup-node/commit/5b949b50c3461bbcd5a540b150c368278160234a"><code>5b949b5</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/actions/setup-node/issues/373">#373</a> from ganta/add-support-for-asdf-format-as-node-versio...</li>
   <li><a href="https://github.com/actions/setup-node/commit/09ba51f18e18a3756fea1f54d09c6745c064491d"><code>09ba51f</code></a> README.md: Encourage testing on current Node.js (<a href="https://github-redirect.dependabot.com/actions/setup-node/issues/533">#533</a>)</li>
   <li><a href="https://github.com/actions/setup-node/commit/b3ca1ac971f58028968bf4f3199547ade2bb277d"><code>b3ca1ac</code></a> Support npm-shrinkwrap.json out-of-the-box (<a href="https://github-redirect.dependabot.com/actions/setup-node/issues/439">#439</a>)</li>
   <li>Additional commits viewable in <a href="https://github.com/actions/setup-node/compare/v3.3.0...v3.4.1">compare view</a></li>
   </ul>
   </details>
   <br />
   
   
   [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/setup-node&package-manager=github_actions&previous-version=3.3.0&new-version=3.4.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   <details>
   <summary>Dependabot commands and options</summary>
   <br />
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
   - `@dependabot merge` will merge this PR after your CI passes on it
   - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
   - `@dependabot cancel merge` will cancel a previously requested merge and block automerging
   - `@dependabot reopen` will reopen this PR if it is closed
   - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
   - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
   
   
   </details>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil-vscode] mbeckerle commented on pull request #225: Bump actions/setup-node from 3.3.0 to 3.4.1

Posted by GitBox <gi...@apache.org>.
mbeckerle commented on PR #225:
URL: https://github.com/apache/daffodil-vscode/pull/225#issuecomment-1220619134

   I have rather strong opinions on the bot update topic. I find them totally disruptive and I hate them. I see some value in them, but they're software development's equivalent to smart-phone text-messaging-alerts. One more source of distractions for an attention-deprived world. 
   
   Going through that checklist for every update is way too much work. 
   
   If we're going to be faced with this _barrage_ of bot PRs, it is a completely reasonable thing to do to just close these PRs with comment: "Not a critical secuirty update, too disruptive. Closing." 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil-vscode] dependabot[bot] commented on pull request #225: Bump actions/setup-node from 3.3.0 to 3.4.1

Posted by GitBox <gi...@apache.org>.
dependabot[bot] commented on PR #225:
URL: https://github.com/apache/daffodil-vscode/pull/225#issuecomment-1260249383

   Superseded by #308.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil-vscode] dependabot[bot] closed pull request #225: Bump actions/setup-node from 3.3.0 to 3.4.1

Posted by GitBox <gi...@apache.org>.
dependabot[bot] closed pull request #225: Bump actions/setup-node from 3.3.0 to 3.4.1
URL: https://github.com/apache/daffodil-vscode/pull/225


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil-vscode] stevedlawrence commented on pull request #225: Bump actions/setup-node from 3.3.0 to 3.4.1

Posted by GitBox <gi...@apache.org>.
stevedlawrence commented on PR #225:
URL: https://github.com/apache/daffodil-vscode/pull/225#issuecomment-1220641909

   I think you overestimate how much work is actually involved in this checklist in the majority of cases. It's a bit annoying maybe, and definitely low on my list of priorities to review, but as I (and I think @tuxji) can attest (we've done pretty much all of them for Daffodil), it really isn't that difficult or time consuming. Also if more people got involved in it (hint hint to all our other committers), it should be even less effort.
   
   The amount of effort to verify each item:
   
   - **Do all automated continuous integration checks pass?**
   Look at the bottom of the PR, trivial.
    
   - **Is the update a patch, minor, or major update?**
   Read the release notes, see if anything stands out. Again, pretty trivial. Most dependencies have release notes. If not, github (where most dependencies come from) has a feature to compare tags, it's pretty easy to skim through the commits and see if anything worrying/interesting jumps out.
   
   - **Is the license still compatible with ASF License Policy?**
   Licenses rarely change, and its trivial to find the license and confirm.
   
   - **Have any changes been made to LICENSE/NOTICE files that need to be incorporated?**
   Again, license/notices rarely change. It's trivial to look at the history of the LICENSE/NOTICE file in github and see the last time it was modified.
   
   - **Have any transitive dependencies been added or changed?**
   This is the only one that I find a bit time consuming, but Ive found that transitive dependencies don't change that much, and when they do the license rarely change so it doesn't really matter. 
   
   Furthermore, for things like this update where we don't distribute the dependency, the license stuff doesn't really matter and you can just say not applicable.
   
   I remember when Daffodil didn't do this, and it was a huge pain trying to manually update all the dependencies all at once prior to a release. Not only is it time consuming to manually figure out what has a newer version and what it is, it is sooooo much easier to do this piecemeal and have it all automated.
   
   I'm fine it we want to configure the bots to opened PR's less frequently, but I'm strongly against removing the automation.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil-vscode] Shanedell commented on pull request #225: Bump actions/setup-node from 3.3.0 to 3.4.1

Posted by GitBox <gi...@apache.org>.
Shanedell commented on PR #225:
URL: https://github.com/apache/daffodil-vscode/pull/225#issuecomment-1220150892

   @stevedlawrence @mbeckerle When it comes to these PRs for `daffodil-vscode`, do you think it is fine to merge these items as long as CI passes and both myself and @scholarsmate approve? They have been sitting here for a bit and would like to clear some out I believe a lot have approvals from Davin and myself.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil-vscode] mbeckerle commented on pull request #225: Bump actions/setup-node from 3.3.0 to 3.4.1

Posted by GitBox <gi...@apache.org>.
mbeckerle commented on PR #225:
URL: https://github.com/apache/daffodil-vscode/pull/225#issuecomment-1220516227

   Two approvals, preferably by people working on the sub-effort who
   understand the nature of what is updating, and you are good to go.
   
   I thought we perhaps had a short checklist of what one is supposed to check
   about these before approving? @Steve Lawrence ***@***.***> ??
   
   On Thu, Aug 18, 2022 at 9:50 PM Shane Dell ***@***.***> wrote:
   
   > @stevedlawrence <https://github.com/stevedlawrence> @mbeckerle
   > <https://github.com/mbeckerle> When it comes to these PRs for
   > daffodil-vscode, do you think it is fine to merge these items as long as
   > CI passes and both myself and @scholarsmate
   > <https://github.com/scholarsmate> approve? They have been sitting here
   > for a bit and would like to clear some out I believe a lot have approvals
   > from Davin and myself.
   >
   > —
   > Reply to this email directly, view it on GitHub
   > <https://github.com/apache/daffodil-vscode/pull/225#issuecomment-1220150892>,
   > or unsubscribe
   > <https://github.com/notifications/unsubscribe-auth/AALUDAZCVPEXO7SEKVBINVLVZ3R77ANCNFSM53UBFYFQ>
   > .
   > You are receiving this because you were mentioned.Message ID:
   > ***@***.***>
   >
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [daffodil-vscode] stevedlawrence commented on pull request #225: Bump actions/setup-node from 3.3.0 to 3.4.1

Posted by GitBox <gi...@apache.org>.
stevedlawrence commented on PR #225:
URL: https://github.com/apache/daffodil-vscode/pull/225#issuecomment-1220578228

   Merging code always requires 2 +1's from committers. No exceptions.
   
   The checklist is here:
   
   https://cwiki.apache.org/confluence/display/DAFFODIL/Scala+Steward
   
   This is what we usually use for review comments to meet this checklist:
   
   ```
   - [] **Do all automated continuous integration checks pass?**
    
   - [] **Is the update a patch, minor, or major update?**
   
   - [] **Is the license still compatible with ASF License Policy?**
   
   - [] **Have any changes been made to LICENSE/NOTICE files that need to be incorporated?**
   
   - [] **Have any transitive dependencies been added or changed?**
   ```
   
   Add an `X` to check off the boxes and add a comment below each line answering the question.
   
   Also, in general, when in the middle of a release (like now) I tend to avoid reviewing/merging changes so that if there is a new rc needed it minimizes changes and makes reviewing the next rc easier.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@daffodil.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org