Closed sullis closed 4 years ago
Hi @sullis , thanks for your PR. I am a bit unsure about the value of Dependabot for this project. I mean, it's good to keep dependencies up-to-date for end projects (applications), but for this library I'm less sure. Let me explain my reason.
Vavr Jackson has only two source dependencies: Vavr and Jackson. Our release cycle is aligned with Vavr, so the Vavr version will be changed when we do a new release. Our Jackson version is kept low intentionally to ensure that developers can have the choice of Jackson version they use: 2.7, 2.8, 2.9, 2.10, 2.11. So using Dependabot without explicit exclusion on Jackson version will result to fault positive. But I think we just need to configure directive ignored_updates to ignore it.
Vavr Jackson has multiple test dependencies. On the plugins side, all the Gradle plugins do not have plugin versions defined. So, we are already using the latest version. On the test dependencies side, we have JUnit, JAXB, Java Poet and Jackson. For Jackson, we override the Jackson version in Travis CI configuration. I don't think Dependabot can upgrade that. So the targets are only JUnit, JAXB, and Java Poet.
It seems a bit over-killed to include Dependabot for that. Any thoughts, @sullis @ruslansennov ?
Dependabot V2 can detect: 1) outdated libraries 2) outdated Gradle plugins / outdated Maven plugins 3) outdated GitHub Actions
Regarding Jackson: it is easy to configure Dependabot to ignore certain libraries
Regarding Jackson: it is easy to configure Dependabot to ignore certain libraries
I added an ignore
statement for Jackson
Let's try!
Merged!
Codecov Report
Continue to review full report at Codecov.