Automatically Test and Update all Libraries to their Latest Version via Dependabot #504
Assignees
Labels
enhancement
New feature or request
Comments
I think this should be worded carefully so as to avoid encouraging a user to downgrade a dependency and potentially expose their application to a security vulnerability. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
All libraries are currently set for a specific version and never tested with later versions (e.g., netty). We apply those libraries in build tools then even if the user uses a newer library. This is not ideal because the metadata might not work with the latest version of a given library and it could lead to unexpected behavior.
We need to introduce a dependabot-based mechanism that will try metadata with all the latest library versions as they appear, and automatically bump the dependencies. If all the tests pass without a glitch, the list of supported versions is updated. If the tests fail the bot should open an issue on the metadata repository with the failure.
After this change, we should only use the meatadata for the libraries that are fully tested. If the library version is not supported the users should be notified that they can use a previous version of the library that is fully supported.
The text was updated successfully, but these errors were encountered: