Skip to content

Restrict Dependabot Netty updates to patch versions only#6942

Queued
bhoradc wants to merge 2 commits intomasterfrom
bhoradc/dependabot-netty-patch-only
Queued

Restrict Dependabot Netty updates to patch versions only#6942
bhoradc wants to merge 2 commits intomasterfrom
bhoradc/dependabot-netty-patch-only

Conversation

@bhoradc
Copy link
Copy Markdown
Contributor

@bhoradc bhoradc commented May 6, 2026
edited
Loading

Motivation and Context

Until we're ready to adopt Netty 4.2.x in the SDK, Dependabot's Netty group creates unmergeable PRs proposing 4.1.x → 4.2.x minor version jumps (e.g., #6941, #6878). These PRs sit unreviewed indefinitely and consume one of our 5 open PR slots.

Meanwhile, patch-level updates like 4.1.132 → 4.1.133 (which contain CVE fixes) are never proposed because Dependabot always targets the latest version (4.2.x).

Modifications

Add an ignore rule for io.netty:* that blocks semver-minor and semver-major updates. Dependabot will now only propose patch bumps within the current minor line.

Testing

Validated in private repo, Dependabot correctly proposed 4.1.132 → 4.1.133 and did not propose 4.2.x.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have read the CONTRIBUTING document
  • Local run of mvn install succeeds
  • My code follows the code style of this project
  • My change requires a change to the Javadoc documentation
  • I have updated the Javadoc documentation accordingly
  • I have added tests to cover my changes
  • All new and existing tests passed
  • I have added a changelog entry. Adding a new entry must be accomplished by running the scripts/new-change script and following the instructions. Commit the new file created by the script in .changes/next-release with your changes.
  • My change is to implement 1.11 parity feature and I have updated LaunchChangelog

License

  • I confirm that this pull request can be released under the Apache 2 license

@bhoradc bhoradc requested a review from a team as a code owner May 6, 2026 19:46
@bhoradc
Restrict Dependabot Netty updates to patch versions only
8315817 
Until we adopt Netty 4.2.x, ignore minor/major version updates for
io.netty dependencies. This ensures Dependabot creates mergeable PRs
for patch bumps (e.g., 4.1.132 -> 4.1.133) instead of proposing
unmergeable 4.1.x -> 4.2.x jumps that sit unreviewed.
@bhoradc bhoradc force-pushed the bhoradc/dependabot-netty-patch-only branch from 0a67064 to 8315817 Compare May 6, 2026 20:08
@bhoradc bhoradc added changelog-not-required Indicate changelog entry is not required for a specific PR no-api-surface-area-change Indicate there is no API surface area change and thus API surface area review is not required labels May 6, 2026
@bhoradc bhoradc enabled auto-merge May 6, 2026 22:28
@bhoradc bhoradc added this pull request to the merge queue May 6, 2026
Any commits made after this event will not be merged.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@S-Saranya1 S-Saranya1 S-Saranya1 approved these changes

Assignees

No one assigned

Labels

changelog-not-required Indicate changelog entry is not required for a specific PR no-api-surface-area-change Indicate there is no API surface area change and thus API surface area review is not required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bhoradc @S-Saranya1