- edited description
Automate the process of dependencies versions update
The initial discussion was started in the scope of the pull request #396 here:
As for updating the dependency versions, can we consider something to automate this process, aka dependabot (out of this pull request scope of course)?
Maven also has something to update the dependencies to the latest version too.
But that’s the theory. The reality is that someone has to do it, update the code if there are APIs changes, make sure everything passes (JDK 8 and 11, several OSes), revert version updates that require too many changes, etc.
Stuff breaks all the time when you update versions (even now com.h2database:h2:1.4.199 works, 1.4.200 breaks Rainbow integration).
As far as I understand the process can be semi-automated at least. A bot (on behalf of okapiframework-robot
for instance), which checks for new dependencies availability, could open a pull request, in the scope of which the CI build can be passing or failing, and the final decision on accepting the changes could be made by a human.
Comments (4)
-
reporter -
We use Dependabot, which gets the job done (although sometimes drives me crazy). I don’t think it supports bitbucket, though?
-
Maven has a plugin: https://www.mojohaus.org/versions-maven-plugin/index.html
It can even update the dependencies:
https://www.mojohaus.org/versions-maven-plugin/use-latest-releases-mojo.htmlBut has not way to fix broken builds if APIs changed.
And can’t reliably decide if a release is final / stable or not. The rule used is simply: if it is in maven central, is released (otherwise it should be in snapshot).
But maven central contains all kind of alpha and beta and release candidates. I don’t consider those “released”
Even as a human it is often hard to decide what is “release” and what is notExamples (among the ones used by Okapi):
- commons-discovery:commons-discovery:1.0-dev
- javax.xml.bind:axb-api:2.4.0-b180830.0359
- com.sun.xml.bind:jaxb-core:M2
- org.slf4j:slf4j-api:2.0.0-alpha1
- ch.qos.logback:logback-core:1.3.0-alpha5
The alpha# are kind of clear for a human. But are -dev or - b180830.0359 final / stable / official release?
I doubt that Dependabot can do better.
-
I wonder if dependabot has some filter criteria, since I don’t typically see things like
-alpha4
, but in general it does have the same problem. - Log in to comment