-
Notifications
You must be signed in to change notification settings - Fork 919
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: only update yarn.lock or package-lock.json if the version is within range #181
Comments
Seems this issue and #178 have a lot in common. I'll close this one (if that's a mistake feel free to re-open it). |
Actually, this is probably a bad idea. This means we'll be able to add features added in |
My hunch here is that libraries need something more than just Dependabot, and I'm not 100% sure how Dependabot should fit in. Off the top of my head, the setup I think a great library should have is:
I'm not aware of a solution to (1) for JavaScript - in Ruby it's generally done by not committing a lockfile and using either environment variables in the I think the best way for Dependabot to support (2) is for us to work the same way that Greenkeeper does in the case when a lockfile isn't committed and the README (or some other tell) suggests that the repo is a library. That will require a few changes on our side, but I'm keen to get our library support perfect. Cross-reference: dependabot/feedback#61. (And this can stay closed - I'm super aware of this issue and it's covered in a couple of others!) |
We're going to open source some of our tooling we've been using internally and to provide smaller download sizes (and bundles in case it's meant for the browser), we want to keep the ranges as open as possible for our users, leveraging yarn's deduping.
For example, this means we'd like to keep our
package.json
at^1.0.0
for a dependency while ouryarn.lock
could already lock to1.2.3
.This will still allow development of the projects to be done with constant updates, without bothering our users. It's not too big of an issue since we can just tell Dependabot to ignore the dependency until the next major release, though.
For us, this would be a bonus; certainly not a requirement.
(we're very happy with Dependabot already)
The text was updated successfully, but these errors were encountered: