tinkerpop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephen Mallette <spmalle...@gmail.com>
Subject Re: Using a bot to keep dependencies up to date
Date Wed, 03 Apr 2019 18:26:41 GMT
hmm - so far i've been the bot. i run maven commands to find out what needs
upgrading and then make decisions on when to do those upgrades as we don't
usually upgrade them in a release line unless:

1. they are maven plugins
2. they are fixes for security problems
3. they introduce something important for our code base - like a
performance fix or other enhancements

That said, my maven commands only deal with Java and not the GLVs so not
much attention has been paid there unfortunately now that I think about it.
We also typically have JIRAs for version bumps of dependencies - not always
plugins - so if we continued with that those would be need to be created
and CHANGELOG entries added manually after a merge i guess.

I'm not completely against the idea, just pointing out some points of
friction with what we currently do and kuppitz makes the good point of the
mess Travis has been in lately. Utterly useless the last few weeks. If we
didn't use a bot, at minimum it would be nice to document the manual
methods for getting reports for the GLVs that show upgrade paths (I assume
that those exist for other language ecosystems as they do for maven). it
would be nice to hear additional thoughts on the matter.

Florian, thanks for taking the time to look into improving our build
process.



On Wed, Apr 3, 2019 at 1:29 PM Daniel Kuppitz <me@gremlin.guru> wrote:

> Pretty cool, I like that (if only Travis would be a little more reliable).
>
> Cheers,
> Daniel
>
>
> On Wed, Apr 3, 2019 at 9:43 AM Florian Hockmann <fh@florian-hockmann.de>
> wrote:
>
> > Hi,
> >
> > we have a lot of dependencies in TinkerPop in different projects and
> > even across different languages. That makes it hard to keep them updated
> > which sometimes has security implications.
> >
> > I recently noticed that other open source projects use a bot that
> > regularly checks whether any updates are available for their
> > dependencies and then creates one PR per dependency. Just to try it out
> > with TinkerPop, I activated such a bot on my fork:
> >
> > https://github.com/florianhockmann/tinkerpop/pulls
> >
> > and the overall result looks quite good in my opinion. It created a lot
> > of PRs* and most could probably be directly merged. The bot can also be
> > easily configured just by adding comments to its PR, for example to
> > ignore a certain (major/minor/patch) version of a dependency:
> >
> >
> https://github.com/FlorianHockmann/tinkerpop/pull/24#issuecomment-473936360
> >
> > What do you think about adding such a bot for our repo?
> >
> >
> > * This is limited to only 5 PRs per day at first to not overwhelm a
> > project with PRs.
> >
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message