Skip to content

Update dependencies in POM #346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
goneall merged 3 commits into from
Sep 17, 2025
Merged

Update dependencies in POM #346

goneall merged 3 commits into from
Sep 17, 2025
+11 −11

Conversation

@bact
Copy link
Collaborator

@bact bact commented Sep 16, 2025

  • Update dependencies to their latest minor version
  • Update spdx-maven-plugin to 1.0.3

@bact
Update dependencies in POM
aab29d1 
Signed-off-by: Arthit Suriyawongkul <[email protected]>
@bact bact added the dependencies Pull requests that update a dependency file label Sep 16, 2025
bact added 2 commits September 16, 2025 16:16
@bact
Update dependencies
6b76440 
Signed-off-by: Arthit Suriyawongkul <[email protected]>
@bact
Update maven-gpg-plugin
ca82c3b 
Signed-off-by: Arthit Suriyawongkul <[email protected]>
@goneall
Copy link
Member

goneall commented Sep 16, 2025

In the past, I've been a bit more conservative on updating dependency versions - only updating if there is a security vulnerability or a fix we know would have a positive impact on the library.

I've noticed some of the other Java open source projects keep current on all minor versions. If we want to take this approach, I can update the dependabot to notify us on any updates.

@pmonks @bact - Any thoughts on changing the practice and updating dependabot config?

@pmonks
Copy link
Collaborator

pmonks commented Sep 16, 2025
edited
Loading

In general when I'm confident in my unit tests (in terms of coverage), I'll generally be aggressive about staying on top of the latest released minor and/or patchlevel versions of dependencies (including, in some cases, automating dependency upgrades).

For Spdx-Java-Library specifically, the unit tests seem pretty comprehensive to me so I'd tend to lean towards being more aggressive - at a minimum having dependabot (or whatever) notifying us (raising an issue?) when a dependency falls out of date, but perhaps even automatically submitting a PR with the dependencies upgraded (which will trigger a run of the unit tests, which should tell us whether the upgrade breaks anything).

@bact
Copy link
Collaborator Author

bact commented Sep 16, 2025
edited
Loading

I can see that it's quite a challenge for the maintainer of SPDX Java libraries to keep things secure, as there are quite a number of libraries (core, models, model-stores, library).

I support any approach that will minimise the workload of maintainer while fairly keep the overall positive results of the libraries (although may not be optimal, as I understand that some dependency update could come with a larger download size).

A good side effect of having the same versions for dependecies across SPDX Java libraries (which dependabot tend to bring) is that SPDX Java libraries can share dependencies, potentially reduce download size. (This will be less true for patch level, and more true for minor version).

goneall
goneall reviewed Sep 17, 2025
View reviewed changes
Copy link
Member

@goneall goneall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@goneall goneall merged commit feaf8ed into spdx:master Sep 17, 2025
1 check passed
@bact bact deleted the update-deps branch September 17, 2025 20:25
@goneall
Copy link
Member

goneall commented Sep 17, 2025

FYI: I created PR #347 which I think will check dependencies weekly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@goneall goneall goneall approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bact @goneall @pmonks