The GSoC project to update all core libraries is a great idea and effort
Once it is completed we should continuously update our dependencies. This ensures core is free from known vulnerabilities and benefits from the latest features of its dependencies. Another important aspect is that it should be easier for us to do major version updates of dependencies as we are not far behind.
GitHub has integrated dependabot which monitors our dependencies and creates PRs to update them.
like the maximum number of PRs should it have open at a time (default is 5), or if it should assign any reviewers. I tried this by assigning /dev/5 members, which can be expanded to other teams or individuals.
You can see the first PRs here
the PRs are labeled with dependencies and the package type
By default it targets the master branch. We might need to add any other branch that is still supported so any updates and security updates so get applied to it. For example not only the upcoming 2.4 since master is getting updated, but also 2.3.
An important thing we can do to help us and dependabot is to use properties in our pom that hold versions of libraries that need to be kept in sync. This is valuable for manual and automatic updates.
For example spring is split into lots of different libraries that one can pick and choose. We do need to ensure that they are all on the same version as they are also released together (at least as far as I know).
So its been a while now that we are using dependabot in openmrs-core on the master branch. From my point of view it is working well: continuously creating PRs for updates while respecting the major versions of for example spring, hibernate, lucene we need to stick to. It also adds the dev-5 team as reviewers into the PR which notifies us of an update/PR.
QUESTION:
Does it make sense to add the dev-4 github team into the dependabot reviewers? They have the write role on GitHub so should be able to merge these PRs. This would increase the potential reviewers and hopefully take some work of @dkayiwa which I see mostly merging them. If I don’t hear any meaningful objections I will add them.
ACTION/VOLUNTEER: is anyone interested in adapting the dependabot.yml for the other active branches? Actively maintained openmrs versions should also receive automatic version updates while respecting their particular major version requirements.