build(deps): bump ant from 1.7.0-SNAPSHOT to 1.9.15 in /ant/src/etc/poms/ant-apache-regexp

[dependabot]

Bumps ant from 1.7.0-SNAPSHOT to 1.9.15.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[timj]

@mbtaylor do you want to take a look at all these security PRs?

[mbtaylor]

They look completely irrelevant, since they relate to maven use of ant, and the starjava build doesn't use maven. I suppose you could argue that we should accept the updates on the grounds that it's avoiding a theoretical issue, but I'm more inclined to reject them on the grounds of not fiddling with things that work. But in practice I can't see them changing the build for good or bad, just messing up my nice history :-). Unless somebody tries to persuade me otherwise, I think I'll close them all unmerged.

[timj]

They will complain again the next time there is an update won't they? If you don't use maven why can't you fix starjava so that it doesn't have the maven stuff in it that is triggering the problem?

[timj]

Are you saying these are files that ship with ant that we include in the repo for convenience? So updating the ant package would fix them all in one go?

[mbtaylor]

Yes, the ant package is included in the starjava repo, so the build is pretty much standalone. @pdraper put this stuff in place when he set up starjava for splat and most of the files haven't changed in 14 years. Not having to think about ant updates over that time has been quite nice; the ant usage is not very sophisticated so any package updates probably wouldn't have made a difference. Since it's not broke, I'm not keen to change that policy. Peter's welcome to comment if he has anything to add, but I understand it's not really his problem by now.

[pwdraper]

Of course it would be nice to update these included dependencies, but since it is not broken I'm not tempted.
Other thoughts are we have some extensions to ant built into this version, so the update might be simple or not
(I don't think the extensions are used or needed now, but removing them would mean updating all the build.xml
files).

So think I vote to switch this feature off, unless Mark wants to know about these issues anyway.

[mbtaylor]

Thanks Peter, I'm going to let sleeping dogs lie.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.