-
Notifications
You must be signed in to change notification settings - Fork 6.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configure Dependabot #8204
Comments
Which dependencies are you referring to? |
Nuget, GitHub Actions |
Only we can then skip those notifications and not being spammed. |
Well only for GitHub Actions? @jsoref's Action is in alpha. Surely it is better to keep it up-to-date? |
It's like an ordinary PR. You will have CI running and you would have to approve it. You can checkout the branch and build and test yourself. |
You don't have to upgrade dependencies manually like in #7618. Dependabot also includes the changelog and individual commits between the old and the new version in the PR so that you can scan through it to find any possible incompatibilities. |
OK |
Also since each dependencies have its own PR. Its easy to validate each dependency/accept only upgrading some dependencies |
Fwiw, I'm likely to make a PR for my action for at least the next version, but in the long run, it's probably worth having dependabot do the legwork (in the near term, it's probably more likely to update the |
I am already bombarded with Pull Requests. I don't think we should merge them until after the release of 0.27. I haven't finished configuring it yet. I have to add every single directory with project file in the config file. There might be a better way of doing this. I just don't know |
There are 76 pull requests to be exact |
This is a problem. Since we have 76 pull requests, we cannot merge them right in. We would have to be slow and precise while merging them to make sure that nothing goes wrong. Then one could say, "Don't bother" That does not make sense in a security point of view and it is important to use the newer version (not necessary to have the latest unless in the event of a security vulnerability) |
Does this make the build process longer? When yes i'm not for this. But when not its ok for me |
This has nothing to do with the build. I runs once every day in GitHub-hosted servers, not in Azure Pipelines |
UPDATE: 102 pull requests |
For perspective, the overhead is mostly review (and if you're paying for the build time triggered by PRs). We run it w/ some small repos w/ quite a few scala/java and yarn dependencies and allocate a non trivial amount of time reviewing the PRs and approving them (a fractional person per week out of a small team). The other approach is to ignore the problem and then deal with breakage/security problems on the late side. Both approaches are frustrating. In the long run, it's better to let dependabot incrementally manage the PRs than try to upgrade everything at once with months in between upgrades and have no idea what caused a break. |
How about adding project directories into Dependabot config slowly? This would drastically reduce the amount of PRs and it becomes easy to manage everything. |
Reason why you don’t do dependencies in all the time is you have to test. We do this at the start of an iteration typically. If something also is stable, we may not want to update intentionally. More so with code paths we don’t update regularly |
@jsoref please make a dedicated PR. |
Will have to wait for dependabot/dependabot-core#2178 |
@alannt777, something shouldn't be in progress before we've agreed to the work |
Sync'ed with @enricogior, we want to be very deliberate on updating. We do this update monthly and do have automated security bots that warn us for security issues. |
We should have dependabot enabled to make sure that our dependencies are up-to-date
The text was updated successfully, but these errors were encountered: