New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automerge major updates #3716
Automerge major updates #3716
Conversation
It’s important that we automerge major updates as they are the only ones that will be opened in most of our repos because we do not use lockfiles. Let’s trust our tests to detect any potential breakage.
I'm not totally convinced because for example the ajv server's parameter is forwarded to the ajv module. We are not testing all the possible ajv configurations, so the tests may be green but the ajv's option accepts a new set of parameters. |
Also, all modules that break the exports contract (see all modules by a prolific module author) may not trigger a failure. We have updated some of these, e.g. modules that generate CLI coloring, and tests have not caught them. |
If I understand correctly you are against automatically merging the dependency updates. Why? The traffic is so high that it's a significant effort to keep up. We are already piling up dependency updates to assess, merge and release - the fact that they are piling up means no one is merging them. Given that I don't plan to do that work, is somebody planning to? If it breaks If we have a few modules that should not be automatically updated we can avoid them. However we have a significant amount of dependencies that are safe to update if the test passes. |
Discussing the
I think you can already rely on us (@fastify/core) to do the work. Thinking out loud, we could have processed the starving dependabot's The next bit stuff to do that I'm aware of is the plugins' upgrade tho |
I can be persuaded to apply more care to this repo (and its dependencies) vs the plugins. I don't think it's needed. Most of our dependencies are devDependencies that we should merge straight away if the test passes. In the vast majority of cases there is no care to apply, just additional work. |
I totally agree the dependabot notifications are out of control and no one is managing them. I am so overwhelmed by them I just mute them. I don't have a solution. But auto merging majors seems a recipe for disaster. |
I trust our tests and the community. |
Any update on this one? |
It’s important that we automerge major updates as they are the only ones that will be opened in most of our repos because we do not use lockfiles. Let’s trust our tests to detect any potential breakage.
This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
It’s important that we automerge major updates as they are the only ones that will be opened in most of our repos because we do not use lockfiles.
Let’s trust our tests to detect any potential breakage.
Checklist
npm run test
andnpm run benchmark
and the Code of conduct