You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by GitBox <gi...@apache.org> on 2020/10/14 13:15:29 UTC
[GitHub] [commons-weaver] nhojpatrick opened a new pull request #5: enable dependabot
nhojpatrick opened a new pull request #5:
URL: https://github.com/apache/commons-weaver/pull/5
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-weaver] rmannibucau commented on pull request #5: enable dependabot
Posted by GitBox <gi...@apache.org>.
rmannibucau commented on pull request #5:
URL: https://github.com/apache/commons-weaver/pull/5#issuecomment-798869333
From what i see, dependabot has more false positives than benefits, in particular for commons projects so not sure it makes sense to bulk enable it like that.
Upgrades are often a prerelease review task where project knowledge helps to pick relevant ones only.
Just my 2 cts
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-weaver] garydgregory commented on pull request #5: enable dependabot
Posted by GitBox <gi...@apache.org>.
garydgregory commented on pull request #5:
URL: https://github.com/apache/commons-weaver/pull/5#issuecomment-798896440
I like Dependabot but I've only enabled it for the components I care about.
There has been discussion of having a separate list for bots to send
message, which some fuzzing service could also use.
Gary
On Sun, Mar 14, 2021, 06:04 sebbASF ***@***.***> wrote:
> Agreed.
>
> There are often several dependency updates between releases.
> With dependabot, each one is treated separately, instead of doing them all
> at the same time.
>
> That's a waste of time and resources, clogging up the mailing lists.
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <https://github.com/apache/commons-weaver/pull/5#issuecomment-798880200>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AAJB6N6XNZM74ZBRKBCSRBTTDSC2VANCNFSM4SQTBGTA>
> .
>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-weaver] nhojpatrick commented on pull request #5: enable dependabot
Posted by GitBox <gi...@apache.org>.
nhojpatrick commented on pull request #5:
URL: https://github.com/apache/commons-weaver/pull/5#issuecomment-798805711
> It does not make sense to have dependabot without a github build IMO, this should be done like the other Commons components that use the default Maven goal.
@garydgregory lots of the other commons project are using dependabot, it also can just create a branch containing the updates and then other cicd spot those branches and build them. You don't have to force yourself into have a GitHub vendor lock in. If it was my choice, Commons would be using Renovate running on Apache Infrastructure and Apache Jenkins Farm and just have GitHub for Source Code and PR's.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-weaver] nhojpatrick closed pull request #5: enable dependabot
Posted by GitBox <gi...@apache.org>.
nhojpatrick closed pull request #5:
URL: https://github.com/apache/commons-weaver/pull/5
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@commons.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-weaver] garydgregory commented on pull request #5: enable dependabot
Posted by GitBox <gi...@apache.org>.
garydgregory commented on pull request #5:
URL: https://github.com/apache/commons-weaver/pull/5#issuecomment-757583115
It does not make sense to have dependabot without a github build IMO, this should be done like the other Commons components that use the default Maven goal.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-weaver] sebbASF commented on pull request #5: enable dependabot
Posted by GitBox <gi...@apache.org>.
sebbASF commented on pull request #5:
URL: https://github.com/apache/commons-weaver/pull/5#issuecomment-798880200
Agreed.
There are often several dependency updates between releases.
With dependabot, each one is treated separately, instead of doing them all at the same time.
That's a waste of time and resources, clogging up the mailing lists.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org