tinkerpop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Florian Hockmann" ...@florian-hockmann.de>
Subject AW: Using a bot to keep dependencies up to date
Date Wed, 10 Apr 2019 11:59:17 GMT
> we don't usually upgrade them in a release line unless

I'm still not that experienced with Java/Maven, but the reasoning is that we want to avoid
dependency version conflicts for our users, right?

In that case, it's specific to Java I'd say. At least for .NET, I would expect a library to
use recent versions of its dependencies.

Since we add new features in our "patch versions" (we aren't doing semantic versioning so
those aren't actually patch versions), I think it's also OK in general to update dependencies
in those versions, at least to a higher patch version, but I think a higher minor version
should also be OK if we also add features ourselves in those versions.

> We also typically have JIRAs for version bumps of dependencies - not always plugins -
so if we continued with that those would be need to be created and CHANGELOG entries added
manually after a merge i guess.

Do we need a JIRA + CHANGELOG entry for all dependency updates or only for important ones?
If we need them, then the bot at least notifies us of an available update and provides a PR
for the update itself. We can then still create a JIRA issue + CHANGELOG entry manually if
necessary.
The notification should also include fixes for security problems in which case the bot sometimes
also includes this information directly in the PR.

> kuppitz makes the good point of the mess Travis has been in lately. 

Is that a reason against using a bot for automation or am I misunderstanding your/Daniel's
point here? If a Travis build fails non-deterministically for a PR created by a bot, then
I would simply trigger a rebuild manually.

We could also use such a bot only for the GLVs / some of the GLVs if we don't want to update
dependencies in general outside of major releases (like 3.5.0). At least for .NET I would
appreciate such a bot, but I can't say much for Python / JavaScript as I don't know enough
about how they handle dependency updates.

-----Urspr√ľngliche Nachricht-----
Von: Stephen Mallette <spmallette@gmail.com> 
Gesendet: Mittwoch, 3. April 2019 20:27
An: dev@tinkerpop.apache.org
Betreff: Re: Using a bot to keep dependencies up to date

hmm - so far i've been the bot. i run maven commands to find out what needs upgrading and
then make decisions on when to do those upgrades as we don't usually upgrade them in a release
line unless:

1. they are maven plugins
2. they are fixes for security problems
3. they introduce something important for our code base - like a performance fix or other
enhancements

That said, my maven commands only deal with Java and not the GLVs so not much attention has
been paid there unfortunately now that I think about it.
We also typically have JIRAs for version bumps of dependencies - not always plugins - so if
we continued with that those would be need to be created and CHANGELOG entries added manually
after a merge i guess.

I'm not completely against the idea, just pointing out some points of friction with what we
currently do and kuppitz makes the good point of the mess Travis has been in lately. Utterly
useless the last few weeks. If we didn't use a bot, at minimum it would be nice to document
the manual methods for getting reports for the GLVs that show upgrade paths (I assume that
those exist for other language ecosystems as they do for maven). it would be nice to hear
additional thoughts on the matter.

Florian, thanks for taking the time to look into improving our build process.



On Wed, Apr 3, 2019 at 1:29 PM Daniel Kuppitz <me@gremlin.guru> wrote:

> Pretty cool, I like that (if only Travis would be a little more reliable).
>
> Cheers,
> Daniel
>
>
> On Wed, Apr 3, 2019 at 9:43 AM Florian Hockmann 
> <fh@florian-hockmann.de>
> wrote:
>
> > Hi,
> >
> > we have a lot of dependencies in TinkerPop in different projects and 
> > even across different languages. That makes it hard to keep them 
> > updated which sometimes has security implications.
> >
> > I recently noticed that other open source projects use a bot that 
> > regularly checks whether any updates are available for their 
> > dependencies and then creates one PR per dependency. Just to try it 
> > out with TinkerPop, I activated such a bot on my fork:
> >
> > https://github.com/florianhockmann/tinkerpop/pulls
> >
> > and the overall result looks quite good in my opinion. It created a 
> > lot of PRs* and most could probably be directly merged. The bot can 
> > also be easily configured just by adding comments to its PR, for 
> > example to ignore a certain (major/minor/patch) version of a dependency:
> >
> >
> https://github.com/FlorianHockmann/tinkerpop/pull/24#issuecomment-4739
> 36360
> >
> > What do you think about adding such a bot for our repo?
> >
> >
> > * This is limited to only 5 PRs per day at first to not overwhelm a 
> > project with PRs.
> >
> >
> >
>


Mime
View raw message