SGTM I think it's good practice to give a couple of weeks before the upgrade
On Tue, 21 Apr 2026 at 07:13, Tian Gao via dev <[email protected]> wrote: > Hi, I want to start a discussion about our dependency upgrade policy for > active development. > > Our current dependency upgrade (mostly for Java, but Python should be > included too) is a bit spontaneous. People find that a dependency has a new > version available and we just do the upgrade. > > This raises concerns about potential supply chain attacks. We already > established a few sets of rules (including pinning the github action > versions) to avoid the supply chain attack, but manually upgrading the > dependency version too eagerly could also be risky. > > It normally takes time for a bad release to be recognized, so I think we > should set a buffer time before upgrading to the latest version. For > example, we can wait a week or two after the latest release before we set > our development dependency to it. This could reduce the possibility of > being impacted by malicious releases, or just give them enough time to fix > their own severe bugs. > > The cost for this policy is very low - it barely impacts us if we can’t > use the “latest” version of dependencies. > > Of course, there should be exceptions when dependency upgrades include > security fixes for known vulnerabilities; we should upgrade as fast as > possible. > > Tian >
