From b16c80cf68658f393849a968d5a72b61f62fc65f Mon Sep 17 00:00:00 2001 From: Sin-Kang Date: Sat, 23 May 2026 19:41:49 +0900 Subject: [PATCH] fix(deps): hold kr.devslab starter majors on the SB3 demos line MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR #40 (closed) was Dependabot bumping `kr.devslab:easy-paging-spring-boot-starter` from 0.4.0 → 0.5.0 across the 4 SB3 demos. The SB3 demos are pinned to the SB3 line of the starter on purpose — 0.5.x is the SB4 line and carries Jackson 3, Spring Framework 7, modularization changes, etc. that aren't compile- compatible with what those demos declare. All 4 builds went red, confirming the policy gap. Tighten the SB3 demos' `ignore` block: - kr.devslab:easy-paging-spring-boot-starter — hold major bumps - kr.devslab:easy-paging-spring-boot-starter-reactive — same - kr.devslab:ssrf-guard — hold majors preemptively (if/when ssrf-guard ships an SB4-only major, the same rationale will apply) - kr.devslab:ssrf-guard-* — same Patch/minor of these starters still flow through as grouped PRs (the existing `easy-paging` / `ssrf-guard` groups), so security/feature patches within each line land normally. The SB4 demos entry (the second gradle block below) is intentionally NOT touched — that entry is where major bumps of these starters SHOULD eventually land, alongside whichever new SB major the starter certifies against. --- .github/dependabot.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a6f8f50..29169a8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -56,6 +56,23 @@ updates: update-types: ["version-update:semver-major"] - dependency-name: "gradle" update-types: ["version-update:semver-major"] + # The starter family itself ships separate release lines for SB3 + # (0.4.x) and SB4 (0.5.x+). A major bump of the easy-paging + # starter here would carry the SB3 demos into SB4 territory and + # break them (PR #40 was the first time we saw this in the wild + # — dependabot bumped to 0.5.0 across the SB3 demos and CI went + # red on all 4). Hold easy-paging majors so the SB3 demos stay + # on the 0.4.x line that matches their Spring Boot pin. + - dependency-name: "kr.devslab:easy-paging-spring-boot-starter" + update-types: ["version-update:semver-major"] + - dependency-name: "kr.devslab:easy-paging-spring-boot-starter-reactive" + update-types: ["version-update:semver-major"] + # Same shape applies to ssrf-guard's hypothetical SB4-only major + # release, if/when it ships — guard against it in advance. + - dependency-name: "kr.devslab:ssrf-guard" + update-types: ["version-update:semver-major"] + - dependency-name: "kr.devslab:ssrf-guard-*" + update-types: ["version-update:semver-major"] groups: easy-paging: patterns: