On Mon, Feb 10, 2025 at 11:45 AM Gilles Sadowski <gillese...@gmail.com> wrote:
> Le lun. 10 févr. 2025 à 11:25, Arnout Engelen <enge...@apache.org> a > écrit : > > Do you mean we should leave out the whole line or just the "Thanks to > > Dependabot" part? > > The whole line. > > > I tried to follow the convention from other Commons projects where each > > dependency update gets such a line in the changelog. > > Well, the "convention" in math-related components was to follow the > previous convention. ;-) Which was to do such dependency updates > when deemed necessary (by a human), usually at the latest before a > release. > > > I don't mind the lines > > in the change log too much (it seems useful to see what got updated, > > especially when we group update lines in the log). > > Information is useful; such updates "inter-releases" is not IMHO. > > As it stands, I prefer to not rely on Dependabot to do the change; the > useful part of that tool is to make checks, and "say" that it would be > harmless to update. > Gotcha, I didn't realize different commons- components had different ways of working here, sorry about that. So for commons-math, you'd prefer Dependabot PRs to be created but not merged (or at least not during regular development), right? Shall I configure a '[not for merge]' prefix ( https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#adding-a-prefix-to-commit-messages) for the generated commit/PR titles? Otherwise I'm sure I'll forget and run afoul of this again :). Kind regards, -- Arnout Engelen ASF Security Response Apache Pekko PMC member, ASF Member NixOS Committer Independent Open Source consultant
