Automate the process of dependencies versions update

Comments (4)

1. 

   Denis Konovalyenko reporter

   • edited description

   • 2020-05-02T10:15:22+00:00
2. 

   Chase Tingley

   We use Dependabot, which gets the job done (although sometimes drives me crazy). I don’t think it supports bitbucket, though?

   • 2020-05-03T18:34:55+00:00
3. 

   Mihai Nita

   Maven has a plugin: https://www.mojohaus.org/versions-maven-plugin/index.html

   It can even update the dependencies:
   https://www.mojohaus.org/versions-maven-plugin/use-latest-releases-mojo.html

   But has not way to fix broken builds if APIs changed.

   And can’t reliably decide if a release is final / stable or not. The rule used is simply: if it is in maven central, is released (otherwise it should be in snapshot).

   But maven central contains all kind of alpha and beta and release candidates. I don’t consider those “released”
   Even as a human it is often hard to decide what is “release” and what is not

   Examples (among the ones used by Okapi):

   • commons-discovery:commons-discovery:1.0-dev
   • javax.xml.bind:axb-api:2.4.0-b180830.0359
   • com.sun.xml.bind:jaxb-core:M2
   • org.slf4j:slf4j-api:2.0.0-alpha1
   • ch.qos.logback:logback-core:1.3.0-alpha5

   The alpha# are kind of clear for a human. But are -dev or - b180830.0359 final / stable / official release?

   I doubt that Dependabot can do better.

   ‌

   • 2020-05-04T20:54:05+00:00
4. 

   Chase Tingley

   I wonder if dependabot has some filter criteria, since I don’t typically see things like -alpha4, but in general it does have the same problem.

   • 2020-05-04T21:12:24+00:00
5. Log in to comment