[JSPWIKI-1135] - Add dependabot config file #15
Conversation
|
Add commit with some fix in the javadoc |
| # limitations under the License. | ||
|
|
||
| version: 2 | ||
| updates: |
There was a problem hiding this comment.
Hi @arturobernalg , thanks for the PR! A couple of questions / comments:
- would you mind including some exclusions for servlet-api, jsp-api and tomcat required dependencies? More precisely, it would be great if we could get notified about patch releases on those dependencies, but not on minor or major
- how does dependabot behave with versions not following semantic versioning? For instance, slf4j should stay on 1.7.30 and not be upgraded to latest 2.0.0-alpha1.
thanks + br,
juan pablo
There was a problem hiding this comment.
mmmm
no clue. I'm gonna check if we can configure the bot to achieve what you asking.
There was a problem hiding this comment.
Hi,
according to dependabot documentation version's ranges can be excluded, so the file should have at least the following exclusions
javax.servlet:javax.servlet-apishould exclude the range[3.2.0,)javax.servlet.jsp:javax.servlet.jsp-apishould exclude the range[2.4.0,)org.apache.tomcat:*should exclude the range[10.0.0,)- we use only a couple of
embeddependencies on the portable module, but using a wildcard seems safer on the long run
- we use only a couple of
org.slf4j:*should exclude the range[1.8.0-beta1,2.0.0)- the range comes from a bit of a search on central + checking version ordering (cfr. with last section of the article)
- last, according to the documentation, the
Dockerfilecould/would also be checked for newer versions. In this case, I think it would be safe to just ignore it.
best regards,
juan pablo
There was a problem hiding this comment.
There was a problem hiding this comment.
At the moment thinks are fallows:
version: 2
updates:
- package-ecosystem: "maven"
directory: "/"
schedule:
interval: "daily" - package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
ignore:- dependency-name: javax.servlet:javax.servlet-api
versions: [3.2.0,) - dependency-name: javax.servlet.jsp:javax.servlet.jsp-api
versions: [2.4.0,) - dependency-name: org.apache.tomcat:*
versions: [10.0.0,) - dependency-name: org.slf4j:*
versions: [1.8.0-beta1,2.0.0)
- dependency-name: javax.servlet:javax.servlet-api
There was a problem hiding this comment.
Hi @juanpablo-santos JP. No idea of how ignore DockerFile
There was a problem hiding this comment.
Just not specifying a docker package-ecosystem section should be enough. What I tried to mean on my previous comment is that we could also check for it, but it is not necessary, as the Dockerfile is currently fixed for Apache Tomcat 9.0 versions.
As for the ignored dependencies/versions, they should go under the maven package ecosystem, the github-actions one should be deleted, as we're not currently using them. Somehow I missed this on the initial review..
thx,
juan pablo
There was a problem hiding this comment.
mmmm.. so.... do I have to do anything else?
There was a problem hiding this comment.
Remove the github-actions section and place the exclusions under the maven package-ecosystem one. Also, in this case, and if possible, squash the commits into one, so the commit history gets clearer, and we don't lose the commit authorship.
best regards,
juan pablo
arturobernalg
force-pushed
the
feature/JSPWIKI-1135
branch
from
b48f52f
to
b001317
Compare
arturobernalg
force-pushed
the
feature/JSPWIKI-1135
branch
from
d466813
to
e3576c0
Compare
arturobernalg
force-pushed
the
feature/JSPWIKI-1135
branch
from
e3576c0
to
4ae0a30
Compare
No description provided.