Support grouping of pull requests #2265
Comments
|
I would love to have Could it support multiple PR #'s? i.e. |
|
I don't see why not. I'm still totally 👍 on this one, but it's going to require quite a lot of work on my side (it interacts with rebasing, etc.). |
|
Any way to follow progress on this? I'm subscribed to this issue, but do you use milestones or some form of public prioritization? 🙂 Just really excited for this 😄 |
|
Subscribing to this issue is the way to go - I don't have a public (or private) prioritization at the moment, but will let you know if/when I do. Hopefully I'll get to this before that's necessary 🙂 |
|
Have not found the 11th issue for the option mentioned in the comment (it seems to be about completely different thing): #376 (comment)
, this one seems the closest :-) It would be very nice to have such an option for repositories that have long build times + requirement of up-to-date branches before merging into master. When each new dependency from the bot comes as a separate PR, a lot of builds start on the CI, and more later when some PRs are merged and other are updated to match the new master. I understand why the default is a PR per dependency — if build fails, you know exactly why — but if most updates are minor or patch and your deps follow semantic versioning I reckon it won't fail too frequently when all dependencies for a language are updated in a single PR. Major updates might still go in a separate PR as they are more likely to break the build. |
|
+1 |
1 similar comment
|
+1 |
|
That would also be great for Travis CI queuing 🙄 |
|
By way of comparison to Renovate, it has a way to define groups (e.g. React + ReactDOM) that should always be opened together (vs opening 2+ PRs, then manually grouping each time, then opening a 3rd PR, etc) and also ships with common groups. I think for JS in particular, you could use peerDependency definitions to infer this, but for other languages it would still be nice to define groups. |
|
Sorry for the slow progress on this one. We've actually just implemented grouping based on peer dependencies (when a peer requirement would be broken). Right now we're working on config files and want to get that shipped before picking anything else up, but once that's out this is really high up our list. |
|
Awesome work @greysteil ! |
|
If this could also be in the configuration file, or be a company wide setting, that would be awesome. For example, we have a LOT of projects based on the Symfony framework. It's a modular framework, so we tend to have 5-15 dependencies that get updated once a week sometimes as they release patch versions. This is a PITA to approve when we have ~20ish projects that each have a lot of these dependencies to be merged in separately. So having something like the ability to say: group all dependencies that match: |
|
I had been thinking about bumping different components of the same project (assuming the same version |
|
Just chiming in on this - I would love to be able to group all dependency updates into one PR each week and be able to merge that. I realize this is a big feature but I'm looking forward to it! |
|
Would love to see this as well! PRs are getting kind of noisy when you have a lot of fast changing deps. |
|
This is what we need too ! Thanks guys ! |
|
Since I haven't seen it mentioned yet: Greenkeeper groups some popular monorepo dependencies. Here is their monorepo definition file, in case it could help you define a default grouping in javascript projects. |
|
Hey team, Sorry for the slow progress on this one. I hear you all, and have seen all the 👍 reactions on the top-level issue! Config files is shipped now, and in a state that we're happy with, so I've been picking up small robustness improvements throughout the codebase. I'm really keen to get to this soon, but want to make sure we do it right when we get to it. The place we hear the most need for this, by far, is for JavaScript updates, where it's more common to split up packages than in other languages. As a result, when we get to this we'll start there. The other use case we hear is "bundle all my updates together into a weekly PR". We don't hear that as often, so if a nice way to do it doesn't drop out of the solution to the above it may be a little longer before we support it. I can see how it might easily drop out, though. |
|
I also would really like this feature, as I have a C# project with many different projects, each of which has their own dependencies: https://github.com/exercism/csharp/ |
|
Both ideas would be really useful:
|
|
This feature would be so important. For every PR we spin up infrastructure on the cloud where we test the PR against. So for us the one PR per version update is an overkill |
|
I hope this feature is a top priority post acquisition. Renovatebot does this well. |
|
This is still a priority, but we have a lot on our plate right now, and our ethos has always been to focus on doing each thing well before moving on to the next. We're currently working to scale Dependabot up to work on 100m repos for security fixes, and ensure our language support is 💯. That said, I'd really love this to be fully implemented before we integrate |
This is common in other languages as well. For instance in PHP, the widely used Symfony framework consists of 20+ libraries which update in sync: Manually grouping PRs would be one solution. A better solution would be to inform Dependabot that the involved libraries should be updated together (if multiple updates availabe). |
|
I think it would be preferable to be able to tell dependabot via a config file dependencies which should be updated together. Then if there's an outstanding PR for one of them, that PR would be updated if one of the other dependencies in the same group also has an update. |
|
Note that this feature is typically unnecessary for Maven users, as you can simply introduce a POM property specifying the version of a set of dependencies from a common source, and the bot will correctly offer updates to this property. (More rarely, some projects offer a BOM for the convenience of clients.) There are however special cases where the author of a particular POM knows that a certain set of dependencies ought to be updated atomically despite not sharing a single version. |
|
In my case, one specific example is for Storybook on node.js. There are several packages (@storybook/react, @storybook-addon-actions, etc.) which commonly have new releases issued together. Right now I have to merge each one, wait for dependabot to rebase, and so on. It would be great if all these could be issued as a single PR since I know the changes are related. |
|
That’s a really common use case @michaelmior - we have the same with gatsby on Dependabot’s own website, so I’m acutely aware of this one |
|
+1 |
|
really would like to see this feature landing in soon, as it would reduce a lot of noise in our web projects using npm. often we do batch upgrades of all project deps upgrade using |
|
Using GitHub Actions it is not so hard to achieve. Here is an example for NodeJS project. https://github.com/w3c-webdriver/w3c-webdriver/pull/379/files |
|
@mucsi96 thanks for sharing. I still think a proper bot would be nice since it could support things like quickly exclude some dependencies, rebase a branch, and update when there is no user action for a week. |
|
Hi @rebelagentm sorry to ask Is it something that has been planned yet? Im wondering if we have to start hacking around this or if it will be done some time soon. Currently we are basically using dependabot as a notification that some libaries have been released and should be updated. We then go in make our own branch run |
|
Hi, @BradErz! @feelepxyz could better answer on the status of this right now. |
|
@BradErz we've paused dependabot-core improvements while we focus on integrating Dependabot natively in GitHub, this is still at least a few months out, unfortunately. |
|
@feelepxyz can you talk about whether this will be behind a paywall or not? |
No current plans on charging for Dependabot or individual features. |
Thanks for the status update on this! I will be waiting on the sidelines for this, but just wanted to add a +1 that this feature would be great, and add one more additional reason: I use Vercel to automatically create deployments for every PR. On their free tier, you're allowed a certain number of deploys per day. On some days, if Dependabot bumps a ton of dependencies, it can quickly push me over my deployment limit and lock my account. This is an edge case, but does make me feel like (in my particular, low-stakes, side project) case, a "batch in-range dependency updates into a single PR" could be particularly useful (and eventually save me $$ on deploys). Thanks team! |
Don't see any announcement in Satellite, but I am hoping it's getting close? |
|
This would be great. It prevents PR's like this:
|
|
We're planning on implementing this (it's our most requested feature) but this will come after we've launched the new integration of Dependabot native within GitHub (beta coming soon). I'm locking this issue to prevent spamming existing subscribers. |
|
Duplicate of #1190 |
@feelepxyz Any update on this? |
|
@wangyun1517 hoping to dig into this between now and the end of the year. If you'd like, head on over to #1190 to follow along. |
|
I would prefer if grouping could be configured on a per-organization basis: For example, I get a lot of PRs for Those Of course, Another example is https://capacitorjs.com/: In fact, I consider it as a common practice that many npm-organizations do simultaneous releases of multiple closely-related packages, in some cases even packages with the exact same version-numbers. Therefore, it seems natural to make organization-grouping configurable instead of hardcoding a specific behavior. |
|
the other issue is locked but would a work around be to split the target branch into a source branch which would still be the default branch by default and a destination integration branch so I can merge than one in batch I could deal with many individual PRs but having my main branch commit full of depandabot is really not great. This being said having the option to collapse into fewer PRs would probably be even better, with some command to reject some of the updates/split them away |
|
dependabot support grouping of pull requests now 🎉 https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups https://github.com/eve-val/eve-roster/pull/1815/files |
It looks like this feature came out of beta last October, and could really help with our npm pull request spam. This should lead to all npm version updates being consolidated in one pull request (though security updates will still come through in a new PR). Would be keen to try this out on tdr-transfer-frontend and roll out on others if it works Announcement: dependabot/dependabot-core#2265 (comment) Doc: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups
and others
See #376 for more detail.
The text was updated successfully, but these errors were encountered: