Use Dependabot to check for npm updates

[HonkingGoose]

Changes:

Dependabot will check for npm updates each working day (Monday trough Friday).
It will label any pull requests it makes with the dependencies label.

Context:

I think it's a good idea to use a bot to check for updates.

[RobinMalfait]

Hey! Thank you for your contribution!
Much appreciated! 🙏

This might not work for our playgrounds itself because they don't have tests so we have to do manual tests anyway. For the dependencies in the root this might be interesting. I know that there are some issue with newer TypeScript/TSDX versions but in that case CI would/should fail.

We'll see how this turns out and I might keep it or delete it in the future.

[HonkingGoose]

We'll see how this turns out and I might keep it or delete it in the future.

Yeah, if you don't like the bot, you can always turn it off by reverting this change.

Thanks for merging in my work! 👍

[RobinMalfait]

😬 😬 😬 😬

[HonkingGoose]

On dependabot not supporting grouped updates

Do you prefer grouped updates for jest and babel-jest then?

Dependabot doesn't currently know how to group dependencies, this is a long standing feature request at the dependabot/core repo, see dependabot/dependabot-core#1190 and dependabot/dependabot-core#1296. I don't know when this will be added.

Consider using the Renovate bot for grouped updates support

If you really want grouped updates, take a look at the Renovate bot.
The downside of using that bot vs Dependabot is that you must install it for your repository.
The upside is that the Renovate bot does know grouped updates, and can be configured a bit more than Dependabot.
I don't know if the Renovate bot will do the grouping automatically or if you need to configure the groups yourself.

You can install the Renovate bot into the repository at the GitHub marketplace.
https://github.com/marketplace/renovate

The renovate bot has a really good on-boarding Pull request. That makes it way easier to figure out how to configure it to your liking.

Links to renovate bot docs:

• Docs for Renovate bot are at: https://docs.renovatebot.com/
• Docs on grouping updates: https://docs.renovatebot.com/configuration-options/#group

Or find another bot you like better at the GitHub marketplace

https://github.com/marketplace/category/dependency-management

It seems that Depfu also has support for grouped updates according to dependabot/dependabot-core#1190 (comment).
I don't know about Snyk, I have not used this bot or seen it in use myself.

[HonkingGoose]

If your problem is with Dependabot opening pull requests for dependencies you want to ignore, read the section on ignoring dependencies in the GitHub docs for Dependabot:
https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates#ignore

[adamwathan]

I saw Gary Bernhardt recommend Depfu instead of Dependabot on Twitter a while back and he generally has impeccable taste, so might be worth looking at that as an alternative.

[HonkingGoose]

Depfu seems really promising:

• Depfu also supports sending you a single weekly/biweekly/monthly PR that updates all your outdated dependencies at once.
• If you enable the reasonably up-to-date strategy, Depfu "matures" new versions depending on the library's past release frequency instead of opening a PR right away.

Following advice from somebody else who you like and respect is not a bad idea in general. 👍
Getting stressed out with dependency updates defeats the point of having the bot in the first place.

I can verify that Depfu bundles the jest dependency updates into one big pull request by default.

---

Dependabot does have a tendency to open a lot of pull requests at once.
You can mitigate this by letting Dependabot run on a weekly schedule instead of daily.
Though then you get the firehose on Mondays, so I don't know if you consider that a nice start to the week. 😄

headlessui/.github/dependabot.yml

Lines 5 to 6 in f660e0f

	schedule:
	interval: 'daily'

https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates#scheduleinterval

[martingjaldbaek]

Re: Dependabot creating a lot of PRs instead of grouping them together. I was was frustrated with this too, so I created a GitHub workflow to automatically combine/group all Dependabot PRs together into a single PR. I figured others could benefit from it too, so I made it available here: https://github.com/hrvey/combine-prs-workflow