Closed sullis closed 3 years ago
I like this idea in theory, but in practice there is some limited intentional downgrading happening to keep Java 8 compliance. For example, commons-lang3
is pegged at 3.8.1 to maintain Java 7 runtime support:
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<!-- Note: 3.9+ now targets Java 8.0, so sticking with 3.8.1 for Java 7 support. -->
<version>3.8.1</version>
</dependency>
So how does Dependabot know not to touch that, or keep other dependencies from upgrading past Java 7 support?
https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/