> Gotcha, I didn't realize different commons- components had different ways of working here, sorry about that.
yes. Gillis tends to remain on old versions of dependencies, and worries about people using old versions dependency cannot upgrade to new versions of commons-lib. so Gillis and math libs nearly refuse all dependabot updates. Gary on the other hand, tends to use as new as possible dependencies for features, refines, performance, safety-patch, and cares more for users who use the latest dependencies too. There have been several discussions before, but as both ways, you see, are somehow reasonable, and none of them are nonsense, so there be actually no common way to solve it. Arnout Engelen <enge...@apache.org> 于2025年2月10日周一 19:11写道: > On Mon, Feb 10, 2025 at 11:45 AM Gilles Sadowski <gillese...@gmail.com> > wrote: > > > Le lun. 10 févr. 2025 à 11:25, Arnout Engelen <enge...@apache.org> a > > écrit : > > > Do you mean we should leave out the whole line or just the "Thanks to > > > Dependabot" part? > > > > The whole line. > > > > > I tried to follow the convention from other Commons projects where each > > > dependency update gets such a line in the changelog. > > > > Well, the "convention" in math-related components was to follow the > > previous convention. ;-) Which was to do such dependency updates > > when deemed necessary (by a human), usually at the latest before a > > release. > > > > > I don't mind the lines > > > in the change log too much (it seems useful to see what got updated, > > > especially when we group update lines in the log). > > > > Information is useful; such updates "inter-releases" is not IMHO. > > > > As it stands, I prefer to not rely on Dependabot to do the change; the > > useful part of that tool is to make checks, and "say" that it would be > > harmless to update. > > > > Gotcha, I didn't realize different commons- components had different ways > of working here, sorry about that. > > So for commons-math, you'd prefer Dependabot PRs to be created but not > merged (or at least not during regular development), right? Shall I > configure a '[not for merge]' prefix ( > > https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/customizing-dependabot-prs#adding-a-prefix-to-commit-messages > ) > for the generated commit/PR titles? Otherwise I'm sure I'll forget and run > afoul of this again :). > > > Kind regards, > > -- > Arnout Engelen > ASF Security Response > Apache Pekko PMC member, ASF Member > NixOS Committer > Independent Open Source consultant >
