-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot setup #42
base: master
Are you sure you want to change the base?
Dependabot setup #42
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for the PR! so i tried dependabot a while ago when it first came out, but chose to go with depfu since dependabot was too noisy. if you look at old pull requests, you'll see some from depfu, dependabot-preview, and greenpkeeper before that.
but i think it's more customizable now to only open PRs when there's a security issue, or when only dependencies
but not devDependencies
get updated?
- package-ecosystem: 'github-actions' | ||
directory: '/' | ||
schedule: | ||
interval: 'daily' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i'm more a fan of "weekly" updates (except for security). some updates sometimes come with bugs that get fixed a few days after
open-pull-requests-limit: 999 | ||
ignore: | ||
- dependency-name: '*' | ||
update-types: ['version-update:semver-major'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i'd rather get notified of major updates, it may mean that this module needs to be updated for any breaking changes. but i'd rather get notified and have that option, than not know
open-pull-requests-limit: 999 | ||
ignore: | ||
- dependency-name: '*' | ||
update-types: ['version-update:semver-major'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you add a clause to only allow direct dependencies?
I am unsure on the amount of time dedicated to this package so I figured to ignore major version updates to not induce breaking changes (assuming the deps' maintainers follow proper semver).
There is a step 2 that can't be done via PR, but in the project
Settings
>Code security and analysis
, make sureDependency graph
andDependabot version updates
are enabled at a minimum for dependabot to work (although I strongly recommend everything on that page to be enabled)