Enable dependabot

[akurtakov]

No description provided.

[rgrunber]

Looks the same as https://github.com/eclipse/eclipse.jdt.ls/blob/master/.github/dependabot.yml . @datho7561 , do you see any problems with this ?

[datho7561]

I know that at one point a version of dependabot was running on this repository. You can see PRs that it has opened: #1250, #1288. We might need to reach out to Fred to disable the other version of dependabot once this PR has been merged. Did you deal with something similar on eclipse.jdt.ls, @rgrunber ?

Other than that, this PR looks good to me.

[rgrunber]

Note that junit and jetty-server update pretty frequently.

When I look on a personal fork, I don't see some "other" dependabot. For version updates the config file seems to be the only way. There are options to enable dependabot for security updates which is what those may have been ?

[datho7561]

Oh okay, so this will make PRs for version updates, even if there aren't security updates?

[datho7561]

This seems very helpful. Thanks @akurtakov !

[akurtakov]

You're welcome. Btw, is there a reason why JSoup and Jetty PRs dependabot opened are pending and not merged?

[datho7561]

The JSoup update has breaking API changes, and a dependency we are using (which is deprecated) depends on the old version. I'll take a look into Jetty.

[rgrunber]

You're welcome. Btw, is there a reason why JSoup and Jetty PRs dependabot opened are pending and not merged?

I think updating jsoup would break remark-java (#1291). Not sure about jetty.

[datho7561]

It looks like the jetty version which fixes the vulnerability requires Java 11

[akurtakov]

It looks like the jetty version which fixes the vulnerability requires Java 11

Is requiring Java 11 problem for Lemminx?

[rgrunber]

I don't think there's any technical issues. It's mainly that clients would need to support users with only Java 1.8 on their system. Ther's a good amount of people probably still on Java 1.8. @datho7561 , If we had to switch, I think the client-side could detect when a JVM doesn't meet the minimum required version (eg. 11) and activate the binary version of LemMinX in those cases. Right ? As an example for vscode-xml, it would somewhere at https://github.com/redhat-developer/vscode-xml/blob/fcab66d6c35e497fbfb534c4f0ea6f4fa7d4f822/src/server/serverStarter.ts#L28 .

Moving to 11 would allow use to use flexmark-java though.

[datho7561]

If we had to switch, I think the client-side could detect when a JVM doesn't meet the minimum required version (eg. 11) and activate the binary version of LemMinX in those cases. Right?

Yep, looking through the code that seems to be what vscode-xml will do.