Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable dependabot for ui and bump all minor versions #881

Merged
merged 2 commits into from Dec 24, 2022
Merged

Enable dependabot for ui and bump all minor versions #881

merged 2 commits into from Dec 24, 2022

Conversation

smlabt
Copy link
Contributor

@smlabt smlabt commented Dec 22, 2022
edited

Is there a reason why package-lock.json is on .gitignore? Because I think otherwise we should check this in to our repository to have reproducible builds.

I am not familiar with dependabot, but according to the documentation (https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates#example-dependabotyml-file) this is how we can enable it for the UI.

@smlabt smlabt changed the title chore: enable dependabot for ui and bump all minor versions [WIP] chore: enable dependabot for ui and bump all minor versions Dec 22, 2022
@bossenti bossenti added ui Anything that affects the UI enhancement New feature or request labels Dec 22, 2022
@bossenti bossenti added this to the 1.0.0 milestone Dec 22, 2022
@smlabt smlabt changed the title [WIP] chore: enable dependabot for ui and bump all minor versions Enable dependabot for ui and bump all minor versions Dec 22, 2022
@tenthe
Copy link
Contributor

tenthe commented Dec 23, 2022

I think you are right, the package-lock.json should not be in the .gitignore.
We already use dependabot to check the dependencies, but I did not know that it can further be configured via in .github/dependabot.yml.
What do you think would be the best update strategy for the ui dependencies?

@smlabt
Copy link
Contributor Author

smlabt commented Dec 23, 2022

@tenthe I have checked the PRs opened by the dependabot (https://github.com/apache/streampipes/pulls?q=is%3Apr+is%3Aclosed+label%3Adependencies), but I do not see any UI related PRs. My hope is that with the dependabot.yml the bot will work.

If we want to reduce the amount of created PRs, we could try to ignore Patch Versions, as described here (https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#specifying-dependencies-and-versions-to-ignore) In this case the dependabot will open PRs for minor and major Updates only.

@tenthe tenthe merged commit 14584d2 into apache:dev Dec 24, 2022
@smlabt smlabt deleted the chore/enable-dependabot branch December 28, 2022 20:42
@bossenti bossenti modified the milestones: 1.0.0, 0.91.0 Jan 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@smlabt smlabt

Labels
enhancement New feature or request ui Anything that affects the UI
Projects
None yet
Milestone
0.91.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@smlabt @tenthe @bossenti