Enable Dependabot?

[pjfanning]

Would it be possible to enable dependabot so that Fesod is prompted with PRs when new jars become available for Fesod dependencies? This can be done by updating the .asf.yaml file. https://github.com/apache/infrastructure-asfyaml/blob/main/README.md

[delei]

Hi, @pjfanning

Thank you for your feedback.

Currently, we have already enabled Dependabot in the asf.yml file. If you find that the settings are incorrect, please feel free to contact us at any time.

fesod/.asf.yaml

Lines 43 to 44 in f302177

	dependabot_alerts: true
	dependabot_updates: false

[pjfanning]

dependabot_updates: true is what I am suggesting

[ongdisheng]

Hi! I looked into this and found below is probably the reason why. Looking at yesterday's Dependabot scheduled run logs, Dependabot is checking POI correctly. The version used by fesod is 5.4.1 at that time while the latest available version is 5.5.1, which is a minor version update from 5.4 to 5.5. However, I believe the current .github/dependabot.yml configuration only allows patch updates and ignores minor and major version updates:

    ignore:
      - dependency-name: "*"
        update-types: [ "version-update:semver-major", "version-update:semver-minor" ]