Open
Description
Instead of updating every dependency, let's allow to submit PRs only for a set of libraries that are safe to update in most of the cases.
Candidates:
- thumbnailator
- jsoup (Update jsoup to 1.16.1 #1567)
- lombok (Update Lombok to 1.18.24 #1562)
- Liquibase (Update Liquibase to 4.25.1 #1565)
- H2 (Update H2 to 2.x #1555)
- HikariCP (Update HikariCP to 5.0.1 #1509)
- commons-text (Update commons-text to 1.11.0 #1182)
- commons-lang3 (Update commons-lang3 to 3.13.0 #1183)
- mysql-connector-java (Update mysql-connector-java to 5.1.49 #1184, Update mysql-connector-java to 8.0.16+ to fix 3 CVEs #1473)
- postgresql (Update postgresql to 42.5.0 #1173)
-
html5validator(obsolete: Decommission of static analyzers #1669) - ansible (Update Ansible to 3.4.0 #1531)
- ansible-lint (Update ansible-lint to 4.3.7 #1516, Update ansible-lint to 5.x #1515, Update ansible-lint to 6.x #1570) (obsolete: Decommission of static analyzers #1669)
- github actions
-
actions/checkout
(see https://github.com/actions/checkout/releases/tag/v4.1.1) -
actions/setup-java
(see https://github.com/actions/setup-java/releases/tag/v4.0.0)
-
- spring framework, spring security, spring boot (minor patch)
- togglz (Update Togglz to 3.3.3 #1460, Update Togglz to 4.x #1644)
- hibernate-validator (Update hibernate-validator to 6.1.7.Final #1200, Update hibernate-validator to 7.0.x #1528, Update hibernate-validator to 8.0.x #1569)
Also we can consider to include some maven plugins.
TODO:
- read https://docs.github.com/en/code-security/getting-started/dependabot-quickstart-guide
- read https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates
- read https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/customizing-dependency-updates
- read https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
-
Enable dependabot ((resolution: isn't needed as we've created a file)Settings
tab,Security
>Code security and analysis
section,Dependabot
>Dependabot version updates
: enable) - create
.github/dependabot.yml
- create ADR (and mention
https://github.com/dependabot/feedback/issues/216
)