On Fri, Oct 31, 2025 at 7:04 AM Piotr P. Karwasz <[email protected]> wrote: > > Hi all, > > As many of you have probably noticed, Dependabot PR churn currently > accounts for the majority of notifications from the Commons > repositories. We can significantly reduce this noise by taking a few steps:
Folks have proposed in the past creating a separate mailing list for Dependabot (or GitHub), but no one's done the work. The current setup works great for me, YMMV as it obviously does. I use GMail as my primary email client, which also works great. > > - Centralize workflows in `commons-parent` (or a new `commons-actions` > repository) so that GitHub Actions updates happen only once. This would be painful as it creates delays and churn when you want something done. I only see pain for that one. We already have three (3!) different git repositories for build-related activities (parent, build plugin, release plugin), adding a 4th will make maintenance more painful. I could see merging the build and release plugin as actually useful. > - Avoid overriding Maven plugin versions unless there’s a strong reason > to do so. No way. This is part of participating in the Maven and general FOSS ecosystem. Eat out of your own kitchen, is the saying. > - Use grouped Dependabot updates to upgrade multiple dependencies in a > single PR. What does this mean? I prefer granularity over big-bang PRs. > - Adjust Dependabot’s update schedule to match repository activity > (e.g., `monthly`, `quarterly`, or `yearly`). It was changed a while back from daily, which was too often, to weekly, which feels like a nice pace to me. Yearly? You must be joking. Manual runs can still be > triggered anytime under Insights -> Dependency Graph -> Dependabot, > especially before a release. > - Move shared dependency management (such as test dependencies) into > `commons-parent`, where appropriate. That's already the case (JUnit, for example). This all feels to me like the tail wagging the dog. > > Reducing unnecessary Dependabot churn will help us focus on changes that > truly matter. Note that Dependabot will still automatically create PRs > for security vulnerabilities in direct dependencies, regardless of other > settings. See the mailing list idea above, which no one in the past has seemed to care about enough to work on. Gary > > What do you think? > > Best, > Piotr > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
