On Sun, 29 Aug 2021 at 15:42, Gary Gregory <garydgreg...@gmail.com> wrote: > > Most of Apache Common's components' are happy users of Dependabot, which is > used on our GitHub mirrored repositories.
Not all the developers are happy however, as it generates lots and lots of mail traffic, as well as extra work. It has doubled the issues traffic, e.g. https://lists.apache.org/list.html?iss...@commons.apache.org:2018-11 https://lists.apache.org/list.html?iss...@commons.apache.org:2019-11 It also affects the commit traffic. It might be suitable for a project with few components and frequent releases, but for Commons it means that lots of PRs can be generated for components that are rarely updated. Also note that it does not know if an updated dependency is usable: e.g. if the dependency requires a more recent JVM release. This needs checking before the PR can be applied. A dependency may be updated several times between releases. This all increases the amount of work. YMMV > Gary > > > On Sun, Aug 29, 2021, 10:38 lewis john mcgibbney <lewi...@apache.org> wrote: > > > Hi builds@, > > I was advised to ask my question here instead of general@incubator. > > Thanks for any feedback > > > > > I understand that we cannot use automated tooling, specifically Dependbot > > ( > > > https://dependabot.com/) because it requests write access to the ASF > > > project source code. > > > I have found this functionality to be really useful and wondered if there > > > are any suggestions out there for automating the dependency management > > > workflow? > > > Thanks for any feedback. > > > lewismc > > -- > > http://home.apache.org/~lewismc/ > > http://people.apache.org/keys/committer/lewismc > >
