janusgraph icon indicating copy to clipboard operation
janusgraph copied to clipboard
verified publisher icon JanusGraph

Upgrade TinkerPop to 3.5.4 and bump security related dependencies

Open li-boxuan opened this issue 3 years ago • 4 comments

Backport #3122, #3130, #3093, #3121, #3089, #2874, #2881

Thank you for contributing to JanusGraph!

In order to streamline the review of the contribution we ask you to ensure the following steps have been taken:

For all changes:

  • [ ] Is there an issue associated with this PR? Is it referenced in the commit message?
  • [ ] Does your PR body contain #xyz where xyz is the issue number you are trying to resolve?
  • [ ] Has your PR been rebased against the latest commit within the target branch (typically master)?
  • [ ] Is your initial contribution a single, squashed commit?

For code changes:

  • [ ] Have you written and/or updated unit tests to verify your changes?
  • [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • [ ] If applicable, have you updated the LICENSE.txt file, including the main LICENSE.txt file in the root of this repository?
  • [ ] If applicable, have you updated the NOTICE.txt file, including the main NOTICE.txt file found in the root of this repository?

For documentation related changes:

  • [ ] Have you ensured that format looks appropriate for the output in which it is rendered?

li-boxuan avatar Aug 09 '22 01:08 li-boxuan

CLA Signed

The committers listed above are authorized under a signed CLA.

  • :white_check_mark: login: li-boxuan / name: Boxuan Li (61e323e5f37fbc88307250947a7e23944f2b3e29)

linux-foundation-easycla[bot] avatar Aug 09 '22 01:08 linux-foundation-easycla[bot]

I just signed CLA but still, the EasyCLA check is failing. Created a support ticket.

li-boxuan avatar Aug 09 '22 02:08 li-boxuan

/easycla

jarias-lfx avatar Aug 09 '22 16:08 jarias-lfx

I'm wondering in general whether we might want to discuss again about our branch strategy as we currently basically merge all PRs only into master which we'll only release as version 1.0.0 right now and that should include a lot of big breaking changes. So, all small updates like these patch version updates that are relevant for security basically have to wait for the 1.0.0 release or we need to manually backport them.

I feel like we should let those dependency-related PRs target the last stable version (0.6 at the moment), coz a major release usually takes a year or so. Not sure if this is configurable in dependabot.

li-boxuan avatar Aug 10 '22 15:08 li-boxuan

I feel like we should let those dependency-related PRs target the last stable version (0.6 at the moment), coz a major release usually takes a year or so. Not sure if this is configurable in dependabot.

Sounds like a good idea. I created a PR to configure Dependabot like that: #3169.

FlorianHockmann avatar Aug 11 '22 14:08 FlorianHockmann