On Tue, Oct 3, 2023 at 1:42 PM Emmanuel Bourg <ebo...@apache.org> wrote: > > Le 03/10/2023 à 20:18, Bruno Kinoshita a écrit : > > Same for me, I prefer to know ahead of time if there are any issues with > > dependencies. > > But the Commons components are mostly dependency-less, we are flooded by > dependabot requests to update non code related dependencies (Maven > plugins, GitHub actions) for non critical purposes. It would be better > to have such notifications for CVEs only.
I also hate the noise, but I share the pay-as-you-go mentality that Gary and Bruno express. Shoving too many updates in the runup to the release can make things harder and cause things to be missed. I was bitten badly some years back by a plugin update that caused release jars to be borked. I would have more likely caught it if the update had happened sooner. I think sebb's suggestion of decreasing check frequency is practical. Phil > > Emmanuel Bourg > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
