You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would like to see an improved release process...
Releases populated with release notes. This will help repo watchers who configure customise events for "Releases" only.
CHANGELOG.md updated for every release (or replaced by the usage of release notes?)
Improved uses of semantic versioning. Should not the additions to license mapping in 7.1.4 have warranted a minor release (7.2.0) instead of a patch release?
All of the above are used by dependabot PRs that update cyclonedx-core-java in downstream projects. Thus, addressing release notes (and/or changelog) should make a dependabot PR easier to review and approve. A difference in patch vs minor version can change the way that dependabot itself works.
As an additional justification, a wee story....
The release of cyclonedx-core-java-7.1.4 caused problems for me when it was included in cyclonedx-maven-plugin 2.7.0 and then BOMs generated using that release of the plugin resulted in displayed "License" in Dependency-Track to change for some components
Affected components were ones that use dual licensing and where one of the licenses now started to succesfully map to an SPDX license ID. Dependency-Track 4.5.0 does not support dual licences in the UI and prefers the ID over name. Hence the change of what license gets displayed. This caused me to spend a couple of hours investigating why things had changed. Bear in mind that the changes might have resulted in a policy violation.
The text was updated successfully, but these errors were encountered:
I would like to see an improved release process...
Releases populated with release notes. This will help repo watchers who configure customise events for "Releases" only.
CHANGELOG.md updated for every release (or replaced by the usage of release notes?)
Improved uses of semantic versioning. Should not the additions to license mapping in 7.1.4 have warranted a minor release (7.2.0) instead of a patch release?
All of the above are used by dependabot PRs that update cyclonedx-core-java in downstream projects. Thus, addressing release notes (and/or changelog) should make a dependabot PR easier to review and approve. A difference in patch vs minor version can change the way that dependabot itself works.
As an additional justification, a wee story....
The release of cyclonedx-core-java-7.1.4 caused problems for me when it was included in
cyclonedx-maven-plugin2.7.0 and then BOMs generated using that release of the plugin resulted in displayed "License" in Dependency-Track to change for some componentsAffected components were ones that use dual licensing and where one of the licenses now started to succesfully map to an SPDX license ID. Dependency-Track 4.5.0 does not support dual licences in the UI and prefers the ID over name. Hence the change of what license gets displayed. This caused me to spend a couple of hours investigating why things had changed. Bear in mind that the changes might have resulted in a policy violation.
The text was updated successfully, but these errors were encountered: