The dependabot check is once a week on Friday which is, IMO, just right. Gary
On Wed, Oct 4, 2023, 7:18 PM Phil Steitz <phil.ste...@gmail.com> wrote: > On Tue, Oct 3, 2023 at 1:42 PM Emmanuel Bourg <ebo...@apache.org> wrote: > > > > Le 03/10/2023 à 20:18, Bruno Kinoshita a écrit : > > > Same for me, I prefer to know ahead of time if there are any issues > with > > > dependencies. > > > > But the Commons components are mostly dependency-less, we are flooded by > > dependabot requests to update non code related dependencies (Maven > > plugins, GitHub actions) for non critical purposes. It would be better > > to have such notifications for CVEs only. > > I also hate the noise, but I share the pay-as-you-go mentality that > Gary and Bruno express. Shoving too many updates in the runup to the > release can make things harder and cause things to be missed. I was > bitten badly some years back by a plugin update that caused release > jars to be borked. I would have more likely caught it if the update > had happened sooner. I think sebb's suggestion of decreasing check > frequency is practical. > > Phil > > > > Emmanuel Bourg > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
