On Sat, 1 Nov 2025 at 18:13, Piotr P. Karwasz <[email protected]> wrote: > > Hi Sebb, > > On 31.10.2025 18:36, sebb wrote: > > Updating dependencies every week is overkill, and can result in > > multiple updates of the same plugin between releases. > > > > I think we should try quarterly updates, and see if there are any issues. > > > I agree. > > - If we keep using single Dependabot PRs (which can occasionally update > multiple artifacts when a BOM or Maven property changes), then > `quarterly` updates sound reasonable. > - If we decide to group updates by category: for example, GitHub > Actions, Maven production, build, and testing dependencies, then a > `monthly` schedule might also work.
The dependabot configs already have separate sections for maven and github-actions At present they almost all both weekly. I think we might as well keep weekly checks for github-actions. These don't change all that frequently, so should not generate much noise. > On my side, I’ll work on moving as many non-runtime dependencies as > possible (such as GitHub Actions and Maven plugins) to `commons-parent`, > since these account for the majority of Dependabot upgrades in practice. It must still be possible for a component to override a Maven plugin without waiting for a parent release. > Piotr > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
