search

awhitford / lombok.maven

Maven Plugin for Project Lombok
http://projectlombok.org/
MIT License
110 stars 36 forks source link

enable Dependabot v2 #40

Closed sullis closed 3 years ago

sullis commented 4 years ago

https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/ 

awhitford commented 4 years ago

I like this idea in theory, but in practice there is some limited intentional downgrading happening to keep Java 8 compliance. For example, commons-lang3 is pegged at 3.8.1 to maintain Java 7 runtime support:

    <dependency>
      <groupId>org.apache.commons</groupId>
      <artifactId>commons-lang3</artifactId>
      <!-- Note: 3.9+ now targets Java 8.0, so sticking with 3.8.1 for Java 7 support. -->
      <version>3.8.1</version>
    </dependency>

So how does Dependabot know not to touch that, or keep other dependencies from upgrading past Java 7 support?

awhitford commented 3 years ago

It looks like we can configure Dependabot to ignore updates to commons-lang3, so a 👍 from me.