+1 (non-binding) Java/Scala deps are controlled manually so it’s easy to audit, also looking forward to a lock file (or similar things) for Python deps so we know which exact version of deps are used for testing.
Thanks, Cheng Pan > On Apr 24, 2026, at 18:03, Steve Loughran <[email protected]> wrote: > > > +1 (non binding) > > On Fri, 24 Apr 2026 at 00:03, Tian Gao via dev <[email protected] > <mailto:[email protected]>> wrote: >> Hi, as discussed in >> https://lists.apache.org/thread/lwgqo36pqzlddtq2f8fxy6c1jj8go4x6 , I'm >> proposing a vote for a buffer time to upgrade our dependencies. >> >> The proposal is: >> For the apache/spark repo only, we can only upgrade third-party dependencies >> (including Apache projects) to a version released at least seven days ago. >> This covers Java, Python and all other dependencies. Security upgrades are >> exempted and will be conducted by PMCs. >> >> [ ] +1: approve >> [ ] 0: no opinion >> [ ] - 1: disapprove >> >> This is a procedural vote (no code change) so we need a simple majority >> (more +1s than -1s). >> >> Tian
