wilkinsona
commented
2 weeks ago users should be notified that they can use a previous version of the library that is fully supported
I think this should be worded carefully so as to avoid encouraging a user to downgrade a dependency and potentially expose their application to a security vulnerability.
All libraries are currently set for a specific version and never tested with later versions (e.g., netty). We apply those libraries in build tools then even if the user uses a newer library. This is not ideal because the metadata might not work with the latest version of a given library and it could lead to unexpected behavior.
We need to introduce a dependabot-based mechanism that will try metadata with all the latest library versions as they appear, and automatically bump the dependencies. If all the tests pass without a glitch, the list of supported versions is updated. If the tests fail the bot should open an issue on the metadata repository with the failure.
After this change, we should only use the meatadata for the libraries that are fully tested. If the library version is not supported the users should be notified that they can use a previous version of the library that is fully supported.