search

vavr-io / vavr-jackson

Jackson datatype module for Vavr
Apache License 2.0
97 stars 35 forks source link

enable Dependabot v2 #162

Closed sullis closed 4 years ago

codecov-commenter commented 4 years ago

Codecov Report

Merging #162 into master will not change coverage. The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##             master     #162   +/-   ##
=========================================
  Coverage     93.24%   93.24%           
  Complexity      339      339           
=========================================
  Files            47       47           
  Lines           785      785           
  Branches        172      172           
=========================================
  Hits            732      732           
  Misses           24       24           
  Partials         29       29

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update d47f8e8...61d044a. Read the comment docs.

mincong-h commented 4 years ago

Hi @sullis , thanks for your PR. I am a bit unsure about the value of Dependabot for this project. I mean, it's good to keep dependencies up-to-date for end projects (applications), but for this library I'm less sure. Let me explain my reason.

Vavr Jackson has only two source dependencies: Vavr and Jackson. Our release cycle is aligned with Vavr, so the Vavr version will be changed when we do a new release. Our Jackson version is kept low intentionally to ensure that developers can have the choice of Jackson version they use: 2.7, 2.8, 2.9, 2.10, 2.11. So using Dependabot without explicit exclusion on Jackson version will result to fault positive. But I think we just need to configure directive ignored_updates to ignore it.

Vavr Jackson has multiple test dependencies. On the plugins side, all the Gradle plugins do not have plugin versions defined. So, we are already using the latest version. On the test dependencies side, we have JUnit, JAXB, Java Poet and Jackson. For Jackson, we override the Jackson version in Travis CI configuration. I don't think Dependabot can upgrade that. So the targets are only JUnit, JAXB, and Java Poet.

It seems a bit over-killed to include Dependabot for that. Any thoughts, @sullis @ruslansennov ?

sullis commented 4 years ago

Dependabot V2 can detect: 1) outdated libraries 2) outdated Gradle plugins / outdated Maven plugins 3) outdated GitHub Actions

Regarding Jackson: it is easy to configure Dependabot to ignore certain libraries

sullis commented 4 years ago

Regarding Jackson: it is easy to configure Dependabot to ignore certain libraries

I added an ignore statement for Jackson

ruslansennov commented 4 years ago

Let's try!

mincong-h commented 4 years ago

Merged!