> > I don't that it is useful (IMHO, it is even harmful if it is littered > > with hardly > > informative automated messages that drown functional changes). > > Fine if there is an easy and safe way to update a dependency, but > > should we thank a robot? > > > > Do you mean we should leave out the whole line or just the "Thanks to > Dependabot" part?
> The whole line. oh now I get what you mean...yes non-primary message shall not appear in release note I agree.otherwise message overflow. bc breaking dependency updates are another situation. Xeno Amess ________________________________ From: Gilles Sadowski <gillese...@gmail.com> Sent: Monday, February 10, 2025 6:45:06 PM To: Commons Developers List <dev@commons.apache.org> Subject: Re: [All] Useless update of "changes.xml" Hi. Le lun. 10 févr. 2025 à 11:25, Arnout Engelen <enge...@apache.org> a écrit : > > On Mon, Feb 10, 2025 at 10:21 AM Gilles Sadowski <gillese...@gmail.com> > wrote: > > > The commit below will generate a line in the release notes that says > > "Thanks to Dependabot". > > > > It generates a line that says "Bump org.apache.commons:commons-rng-bom from > 1.5 to 1.6 #244 Thanks to Dependabot.". I know (that's what I meant above). The point it is that it is not something I consider should appear in the changelog. When we did/do it "manually", it was a change in the "pom.xml" that would appear in the CVS commit log. In most releases now , the self-promotion of Dependabot obscures the true changes. > > I don't that it is useful (IMHO, it is even harmful if it is littered > > with hardly > > informative automated messages that drown functional changes). > > Fine if there is an easy and safe way to update a dependency, but > > should we thank a robot? > > > > Do you mean we should leave out the whole line or just the "Thanks to > Dependabot" part? The whole line. > > I tried to follow the convention from other Commons projects where each > dependency update gets such a line in the changelog. Well, the "convention" in math-related components was to follow the previous convention. ;-) Which was to do such dependency updates when deemed necessary (by a human), usually at the latest before a release. > I don't mind the lines > in the change log too much (it seems useful to see what got updated, > especially when we group update lines in the log). Information is useful; such updates "inter-releases" is not IMHO. > On the other hand, I do > think it's cumbersome that I can't simply merge a dependabot PR, but have > to go in and update changes.xml. That doesn't seem easy to automate, > though, and I'd say we don't want to add additional steps to the release > process either. Sure. I didn't suggest anything of the like. As it stands, I prefer to not rely on Dependabot to do the change; the useful part of that tool is to make checks, and "say" that it would be harmless to update. Regards, Gilles >> [...] --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
