On 15/11/2025 22:22, Piotr P. Karwasz wrote:
Hi Gary,
On 15.11.2025 19:12, Gary Gregory wrote:
-1 I please that's a component that I am actively maintaining and releasing.
I’m with Sebb on this one (see [1]).
While Commons IO does have releases every 3–4 months, this year we’ve
seen 71 Dependabot PRs [2] compared to 32 non-Dependabot PRs [3].
ByteBuddy alone has been upgraded 8 times, meaning 2–3 updates per
release, even though it’s not a runtime dependency.
I absolutely understand the need to regularly upgrade *runtime*
dependencies so we can test them and provide feedback upstream (often
within Commons itself). I also see the value in verifying updates to the
build system (`commons-parent`), although I’m still unsure why
we need 14 `commons-parent` releases per year, but that’s a separate issue.
Given all this, I fully support upgrading dependencies on a roughly
3-month schedule. That seems like a reasonable balance that reduces the
overall noise-to-signal ratio to something closer to 50% or below.
+1 as well, the flood of dependabot PRs has to be regulated. It's not a
code change but a process decision, vetos do not apply in this case.
Emmanuel Bourg
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]