2. In general we don't bump dependencies, unless they are for critical bug fixes.
3. We weight the risk of new regression vs bug fixes. To state the obvious, we wouldn't backport a bug fix if it only affects a very small number of use cases but require very complex changes. There is huge gray zone in between here that'd rely on committer's judgement.
On Tue, Apr 24, 2018 at 3:56 PM, Cody Koeninger <[hidden email]> wrote: