Dependabot + Peer Plugin Dependencies
16 views
Skip to first unread message
Gavin Mogan
Jun 17, 2019, 5:59:34 PM6/17/19
to jenkin...@googlegroups.com
Hey Yall
I'm loving all the little helpfulness that dependabot provides, keeps things up to date and etc.
But how do you all handle the peer dependancies, like depending on git-plugin? Do you always upgrade? or just as needed?
I know generally you don't want to update your core dep so people arn't forced to upgrade, but is that applied to plugins too?
Trying to figure out what to do about the PR noise on blueocean, if i should merge or @ignore.
Gavin
Mark Waite
Jun 17, 2019, 6:38:58 PM6/17/19
to jenkinsci-dev
For plugins which are test dependencies and only test dependencies, I prefer to keep them at the latest version. Since they are test dependencies, they won't be included in the packaging and the plugin upgrade is not forced on end users.
For plugins that are run time dependencies, I keep them as old as I possibly can so that I have the least potential of forcing a user to upgrade that plugin.
"As old as I possibly can" means that I upgrade them when I need an API that is only provided in that version of the dependency or when there is another dependency which is forcing an upgrade.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_Duv2v09hz_vZBQfM%2BVZaw1__s0pJdBBL2rR_dnjsXMEfbw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Thanks!
Mark Waite
Jesse Glick
Jun 17, 2019, 7:10:55 PM6/17/19
to Jenkins Dev
On Mon, Jun 17, 2019 at 6:38 PM Mark Waite <mark.ea...@gmail.com> wrote:
> Since they are test dependencies, they won't be included in the packaging and the plugin upgrade is not forced on end users.
Unfortunately, this often “bleeds” into non-test deps when you factor
> Since they are test dependencies, they won't be included in the packaging and the plugin upgrade is not forced on end users.
in `RequireUpperBoundsDeps` fixes.
There is not any particularly satisfactory answer, and this was the
main issue I identified when use of Dependabot on plugin repositories
was first being proposed.
I think JENKINS-47498 would make use of Dependabot much simpler, since
normally there would just be a single version number you would
increment in your POM (not counting the `parent`) to stay up to date
with everything; but it _would_ mean upgrading test and non-test
dependencies alike. Whether this really matters much to users, I am
not sure. Certainly it would reduce surprise failures from
`plugin-compat-tester`.
Reply all
Reply to author
Forward
0 new messages