From 6bd53f30fdfe4d3c66b4e9ff4b52cbbcb846ffc2 Mon Sep 17 00:00:00 2001 From: Alex Bishop Date: Fri, 27 Oct 2023 13:07:21 +0100 Subject: [PATCH] =?UTF-8?q?BAU=20=E2=80=94=20Tell=20Dependabot=20to=20igno?= =?UTF-8?q?re=20Guice=206=20and=20Dropwizard=20Sentry=204?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Tell Dependabot to ignore Guice 6.x and Dropwizard Sentry 4.x because neither of these are going to be just-merge-the- Dependabot-PR upgrades: • Guice 6.x requires compatibility work on our side while Guice 7.x only works with Jakarta EE and not Java EE • We essentially forked Dropwizard Sentry because it did not support Dropwizard 3.x — there is now a Dropwizard Sentry 4.x, which supports Dropwizard 4.x (and maybe Dropwizard 3.x), but we’d need to do work to go back to using an unmodified version Also add comments explaining why we’re ignoring upgrades for certain Maven dependencies. --- .github/dependabot.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2710d1c31..1afbcae50 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,11 +8,21 @@ updates: time: "03:00" ignore: - dependency-name: "io.dropwizard:dropwizard-dependencies" + # Dropwizard 4.x only works with Jakarta EE and not Java EE + versions: + - ">= 4" + - dependency-name: "org.dhatim:dropwizard-sentry" + # We essentially forked Dropwizard Sentry because it did not support + # Dropwizard 3.x — there is now a Dropwizard Sentry 4.x, which supports + # Dropwizard 4.x (and maybe Dropwizard 3.x), but we’d need to do work + # to go back to using an unmodified version versions: - ">= 4" - dependency-name: "com.google.inject:guice-bom" + # Guice 6.x requires compatibility work on our side + # Guice 7.x only works with Jakarta EE and not Java EE versions: - - ">= 7" + - ">= 6" open-pull-requests-limit: 10 labels: - dependencies