Consider using Dependabot to automate version bumps

[imagejan]

Dependabot can help keeping dependency versions up to date. (I don't know how well it deals with versions defined in <properties> though...) It will submit PRs when newer versions of dependencies are available, and it supports custom Maven repositories. Should we try it out to simplify version management in pom-scijava?

[ctrueden]

We don't always want to auto-bump to latest versions. Maybe we could use it just so that we don't miss any releases... but there would need to be a way to blacklist releases that are inappropriate for bumping in pom-scijava. And I already have a mechanism like that in the scijava/status.scijava.org repository, so that https://status.scijava.org only reports real actions needed.

I see that if you close a Dependabot PR, it will wait till the next release. But I fear this process could get annoying if, e.g., we are on the latest 2.x of a component and upstream is cutting new 3.x releases all the time (this happens with Guava, for example). And sometimes those 3.x releases are 3.0.0-alpha-1, 2, 3, 4, ... and we really want to ignore all of them until 3.0.0 final is released.

The process I have with status.scijava.org is pretty sustainable, and I don't think adding Dependabot into the mix would eliminate the need for that site—although if it could fully replace it, I'd be on board. I don't want to kibosh these sorts of ideas completely, but I am skeptical of the efficacy here, compared to the amount of work required to migrate to a new process.

[ctrueden]

I'm still happy with the current version management process, and iterating on things like the status site. Relying on Dependabot to suggest the correct version bumps for this mammoth BOM makes me nervous, so I'm going to close this issue for now.