Enabling dependabot in our github repository

[Xavier Léauté <xv...@apache.org>]

Hi folks, as you know Druid has a lot of dependencies, and keeping up with
the latest versions of everything, whether it relates to fixing CVEs or
other improvements is a lot of manual work.

I suggest we enable Github's dependabot in our repository to keep our
dependencies up to date. The bot is also helpful in providing a short
commit log summary to understand changes.
This might yield a flurry of PRs initially, but we can configure it to
exclude libraries or version ranges that we know are unsafe for us to
upgrade to.

It looks like some other ASF repos have this enabled already (see
https://github.com/apache/commons-imaging/pull/126), so hopefully this only
requires filing an INFRA ticket.

Happy to take care of it if folks are on board.

Thanks!
Xavier

Re: Enabling dependabot in our github repository

[Julian Hyde <jh...@gmail.com>]

I agree that PRs should not be committed immediately and unconditionally when the dependabot finds them. But if we defer, there is a concern that good PRs will be forgotten. How about making a particular person (say the release manager) or triggering event (say voting on an RC) responsible for checking all applicable PRs have been applied?

> On Jun 8, 2021, at 6:58 AM, Gian Merlino <gi...@apache.org> wrote:
> 
> Here's a running list of PRs opened by the dependabot:
> https://github.com/apache/druid/pulls?q=is%3Apr+author%3Aapp%2Fdependabot
> 
> On Mon, Jun 7, 2021 at 12:22 PM Gian Merlino <gi...@apache.org> wrote:
> 
>> There's been some extra discussion this PR:
>> https://github.com/apache/druid/pull/11079
>> 
>> I just +1'ed it, but I wanted to come back here to say that IMO, we should
>> avoid getting in the habit of blindly applying these updates without
>> testing. There's been lots of situations in the past where a
>> harmless-looking dependency upgrade broke something. Sometimes the new
>> dependency version had a regression in it, and sometimes even without
>> regressions it can introduce compatibility problems.
>> 
>> So, I think it'd be good to apply the updates when we're confident in our
>> ability to test them, and add ignores (or tests!) for the rest.
>> 
>> On Thu, Apr 8, 2021 at 12:35 PM Xavier Léauté <xa...@confluent.io.invalid>
>> wrote:
>> 
>>> Thanks Maytas, I asked in that thread. They seemed concerned about write
>>> access requested by dependabot,
>>> but that should no longer be required as far as I can tell, now that it is
>>> natively integrated into GitHub.
>>> It should only be a matter of adding the config file to the repo, similar
>>> to what we do to automate closing stale issues / PR.
>>> 
>>> On Tue, Apr 6, 2021 at 2:50 PM Maytas Monsereenusorn <ma...@apache.org>
>>> wrote:
>>> 
>>>> I remember seeing someone asked about Dependabot in asfinfra slack
>>> channel
>>>> a few weeks ago. However, asfinfra said they cannot allow it.
>>>> Here is the link:
>>>> https://the-asf.slack.com/archives/CBX4TSBQ8/p1616539376210800
>>>> I think this is the same as Github's dependabot.
>>>> 
>>>> Best Regards,
>>>> Maytas
>>>> 
>>>> 
>>>> On Tue, Apr 6, 2021 at 2:37 PM Xavier Léauté <xv...@apache.org> wrote:
>>>> 
>>>>> Hi folks, as you know Druid has a lot of dependencies, and keeping up
>>>> with
>>>>> the latest versions of everything, whether it relates to fixing CVEs
>>> or
>>>>> other improvements is a lot of manual work.
>>>>> 
>>>>> I suggest we enable Github's dependabot in our repository to keep our
>>>>> dependencies up to date. The bot is also helpful in providing a short
>>>>> commit log summary to understand changes.
>>>>> This might yield a flurry of PRs initially, but we can configure it to
>>>>> exclude libraries or version ranges that we know are unsafe for us to
>>>>> upgrade to.
>>>>> 
>>>>> It looks like some other ASF repos have this enabled already (see
>>>>> https://github.com/apache/commons-imaging/pull/126), so hopefully
>>> this
>>>>> only
>>>>> requires filing an INFRA ticket.
>>>>> 
>>>>> Happy to take care of it if folks are on board.
>>>>> 
>>>>> Thanks!
>>>>> Xavier
>>>>> 
>>>> 
>>> 
>> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@druid.apache.org
For additional commands, e-mail: dev-help@druid.apache.org

Re: Enabling dependabot in our github repository

[Gian Merlino <gi...@apache.org>]

Here's a running list of PRs opened by the dependabot:
https://github.com/apache/druid/pulls?q=is%3Apr+author%3Aapp%2Fdependabot

On Mon, Jun 7, 2021 at 12:22 PM Gian Merlino <gi...@apache.org> wrote:

> There's been some extra discussion this PR:
> https://github.com/apache/druid/pull/11079
>
> I just +1'ed it, but I wanted to come back here to say that IMO, we should
> avoid getting in the habit of blindly applying these updates without
> testing. There's been lots of situations in the past where a
> harmless-looking dependency upgrade broke something. Sometimes the new
> dependency version had a regression in it, and sometimes even without
> regressions it can introduce compatibility problems.
>
> So, I think it'd be good to apply the updates when we're confident in our
> ability to test them, and add ignores (or tests!) for the rest.
>
> On Thu, Apr 8, 2021 at 12:35 PM Xavier Léauté <xa...@confluent.io.invalid>
> wrote:
>
>> Thanks Maytas, I asked in that thread. They seemed concerned about write
>> access requested by dependabot,
>> but that should no longer be required as far as I can tell, now that it is
>> natively integrated into GitHub.
>> It should only be a matter of adding the config file to the repo, similar
>> to what we do to automate closing stale issues / PR.
>>
>> On Tue, Apr 6, 2021 at 2:50 PM Maytas Monsereenusorn <ma...@apache.org>
>> wrote:
>>
>> > I remember seeing someone asked about Dependabot in asfinfra slack
>> channel
>> > a few weeks ago. However, asfinfra said they cannot allow it.
>> > Here is the link:
>> > https://the-asf.slack.com/archives/CBX4TSBQ8/p1616539376210800
>> > I think this is the same as Github's dependabot.
>> >
>> > Best Regards,
>> > Maytas
>> >
>> >
>> > On Tue, Apr 6, 2021 at 2:37 PM Xavier Léauté <xv...@apache.org> wrote:
>> >
>> > > Hi folks, as you know Druid has a lot of dependencies, and keeping up
>> > with
>> > > the latest versions of everything, whether it relates to fixing CVEs
>> or
>> > > other improvements is a lot of manual work.
>> > >
>> > > I suggest we enable Github's dependabot in our repository to keep our
>> > > dependencies up to date. The bot is also helpful in providing a short
>> > > commit log summary to understand changes.
>> > > This might yield a flurry of PRs initially, but we can configure it to
>> > > exclude libraries or version ranges that we know are unsafe for us to
>> > > upgrade to.
>> > >
>> > > It looks like some other ASF repos have this enabled already (see
>> > > https://github.com/apache/commons-imaging/pull/126), so hopefully
>> this
>> > > only
>> > > requires filing an INFRA ticket.
>> > >
>> > > Happy to take care of it if folks are on board.
>> > >
>> > > Thanks!
>> > > Xavier
>> > >
>> >
>>
>

Re: Enabling dependabot in our github repository

[Gian Merlino <gi...@apache.org>]

There's been some extra discussion this PR:
https://github.com/apache/druid/pull/11079

I just +1'ed it, but I wanted to come back here to say that IMO, we should
avoid getting in the habit of blindly applying these updates without
testing. There's been lots of situations in the past where a
harmless-looking dependency upgrade broke something. Sometimes the new
dependency version had a regression in it, and sometimes even without
regressions it can introduce compatibility problems.

So, I think it'd be good to apply the updates when we're confident in our
ability to test them, and add ignores (or tests!) for the rest.

On Thu, Apr 8, 2021 at 12:35 PM Xavier Léauté <xa...@confluent.io.invalid>
wrote:

> Thanks Maytas, I asked in that thread. They seemed concerned about write
> access requested by dependabot,
> but that should no longer be required as far as I can tell, now that it is
> natively integrated into GitHub.
> It should only be a matter of adding the config file to the repo, similar
> to what we do to automate closing stale issues / PR.
>
> On Tue, Apr 6, 2021 at 2:50 PM Maytas Monsereenusorn <ma...@apache.org>
> wrote:
>
> > I remember seeing someone asked about Dependabot in asfinfra slack
> channel
> > a few weeks ago. However, asfinfra said they cannot allow it.
> > Here is the link:
> > https://the-asf.slack.com/archives/CBX4TSBQ8/p1616539376210800
> > I think this is the same as Github's dependabot.
> >
> > Best Regards,
> > Maytas
> >
> >
> > On Tue, Apr 6, 2021 at 2:37 PM Xavier Léauté <xv...@apache.org> wrote:
> >
> > > Hi folks, as you know Druid has a lot of dependencies, and keeping up
> > with
> > > the latest versions of everything, whether it relates to fixing CVEs or
> > > other improvements is a lot of manual work.
> > >
> > > I suggest we enable Github's dependabot in our repository to keep our
> > > dependencies up to date. The bot is also helpful in providing a short
> > > commit log summary to understand changes.
> > > This might yield a flurry of PRs initially, but we can configure it to
> > > exclude libraries or version ranges that we know are unsafe for us to
> > > upgrade to.
> > >
> > > It looks like some other ASF repos have this enabled already (see
> > > https://github.com/apache/commons-imaging/pull/126), so hopefully this
> > > only
> > > requires filing an INFRA ticket.
> > >
> > > Happy to take care of it if folks are on board.
> > >
> > > Thanks!
> > > Xavier
> > >
> >
>

Re: Enabling dependabot in our github repository

[Xavier Léauté <xa...@confluent.io.INVALID>]

Thanks Maytas, I asked in that thread. They seemed concerned about write
access requested by dependabot,
but that should no longer be required as far as I can tell, now that it is
natively integrated into GitHub.
It should only be a matter of adding the config file to the repo, similar
to what we do to automate closing stale issues / PR.

On Tue, Apr 6, 2021 at 2:50 PM Maytas Monsereenusorn <ma...@apache.org>
wrote:

> I remember seeing someone asked about Dependabot in asfinfra slack channel
> a few weeks ago. However, asfinfra said they cannot allow it.
> Here is the link:
> https://the-asf.slack.com/archives/CBX4TSBQ8/p1616539376210800
> I think this is the same as Github's dependabot.
>
> Best Regards,
> Maytas
>
>
> On Tue, Apr 6, 2021 at 2:37 PM Xavier Léauté <xv...@apache.org> wrote:
>
> > Hi folks, as you know Druid has a lot of dependencies, and keeping up
> with
> > the latest versions of everything, whether it relates to fixing CVEs or
> > other improvements is a lot of manual work.
> >
> > I suggest we enable Github's dependabot in our repository to keep our
> > dependencies up to date. The bot is also helpful in providing a short
> > commit log summary to understand changes.
> > This might yield a flurry of PRs initially, but we can configure it to
> > exclude libraries or version ranges that we know are unsafe for us to
> > upgrade to.
> >
> > It looks like some other ASF repos have this enabled already (see
> > https://github.com/apache/commons-imaging/pull/126), so hopefully this
> > only
> > requires filing an INFRA ticket.
> >
> > Happy to take care of it if folks are on board.
> >
> > Thanks!
> > Xavier
> >
>

Re: Enabling dependabot in our github repository

[Maytas Monsereenusorn <ma...@apache.org>]

I remember seeing someone asked about Dependabot in asfinfra slack channel
a few weeks ago. However, asfinfra said they cannot allow it.
Here is the link:
https://the-asf.slack.com/archives/CBX4TSBQ8/p1616539376210800
I think this is the same as Github's dependabot.

Best Regards,
Maytas


On Tue, Apr 6, 2021 at 2:37 PM Xavier Léauté <xv...@apache.org> wrote:

> Hi folks, as you know Druid has a lot of dependencies, and keeping up with
> the latest versions of everything, whether it relates to fixing CVEs or
> other improvements is a lot of manual work.
>
> I suggest we enable Github's dependabot in our repository to keep our
> dependencies up to date. The bot is also helpful in providing a short
> commit log summary to understand changes.
> This might yield a flurry of PRs initially, but we can configure it to
> exclude libraries or version ranges that we know are unsafe for us to
> upgrade to.
>
> It looks like some other ASF repos have this enabled already (see
> https://github.com/apache/commons-imaging/pull/126), so hopefully this
> only
> requires filing an INFRA ticket.
>
> Happy to take care of it if folks are on board.
>
> Thanks!
> Xavier
>