Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate options for lowering dependency upgrades noise #192

Closed
rhusar opened this issue Jun 21, 2022 · 4 comments
Closed

Investigate options for lowering dependency upgrades noise #192

rhusar opened this issue Jun 21, 2022 · 4 comments
Assignees
@rhusar
Labels
2.x

Comments

@rhusar
Copy link
Member

rhusar commented Jun 21, 2022
edited
Loading

Problems

  1. Currently, certain dependencies produce a lot – e.g. last week there were 5 AWS SDK ones – dependency upgrades. Moreover, some of these projects don't seem to adhere to semver as they do include features in PATCH version releases while those as defined as "version when you make backwards compatible bug fixes".
  2. This generates a lot of notifications for project owners following PR notifications; n.b. this is not a problem for consumers, as those can only setup to watch releases or issues.
  3. Merging all upgrades also makes git log harder to manage.

The reasons why we want to consume the latest versions are to:

  1. Consume latest security patches.
  2. Be able to detect intentional and unintentional breaking changes timely.
  3. Provision the most up to date version for users consuming the project using the Maven mvn dependency:copy-dependencies -DoutputDirectory=$RHDG_HOME/server/lib -DincludeScope=runtime -DexcludeGroupIds=org.jgroups method.

Options - sorted from worst to best:

  1. Disable updates completely.
  2. Enable automatic merging – this would require the CI to be able to consume secret credentials and test against live cloud provider instance. Still generates notifications.
  3. Disable updates for PATCH (MICRO) releases from certain noisy dependencies.
  4. Keep update configuration as is, project owners disable PR notifications for the project. Only test and bump before the release or whenever we get to it. Might miss community PRs but we can employ CODEOWENERS for actual code changes to request review from owners.

Other suggestions? Thoughts?
@rhusar rhusar mentioned this issue Jun 21, 2022
Merged
@rhusar rhusar self-assigned this Jun 21, 2022
@rhusar rhusar added the 2.x label Jun 21, 2022
@belaban
Copy link
Member

belaban commented Jun 21, 2022

I'd vote for option 3. However, do as you like, this is your project.

@belaban
Copy link
Member

belaban commented Jun 24, 2022

This is getting really annoying: I suggest we ignore the micro updates in dependabot. Or, if there's a way, I'd like to remove myself from getting update notifications...

@rhusar rhusar closed this as completed in 3f261d2 Sep 5, 2022
rhusar added a commit that referenced this issue Sep 5, 2022
@rhusar
Merge pull request #223 from rhusar/192
f24ebe7 
Fixes #192: Investigate options for lowering dependency upgrades nois…
@rhusar rhusar mentioned this issue Sep 5, 2022
Closed
@rhusar
Copy link
Member Author

rhusar commented Sep 5, 2022
edited
Loading

@belaban OK (back from PTO) - let's go with option 3! Done (might need some fine tuning if this doesn't work just yet).

@rhusar rhusar mentioned this issue Sep 9, 2022
Closed
@belaban
Copy link
Member

belaban commented Sep 9, 2022

thx!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rhusar rhusar

Labels
2.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@belaban @rhusar