Dependabot setup #42
Dependabot setup #42
Conversation
There was a problem hiding this comment.
thanks for the PR! so i tried dependabot a while ago when it first came out, but chose to go with depfu since dependabot was too noisy. if you look at old pull requests, you'll see some from depfu, dependabot-preview, and greenpkeeper before that.
but i think it's more customizable now to only open PRs when there's a security issue, or when only dependencies but not devDependencies get updated?
| - package-ecosystem: 'github-actions' | ||
| directory: '/' | ||
| schedule: | ||
| interval: 'daily' |
There was a problem hiding this comment.
i'm more a fan of "weekly" updates (except for security). some updates sometimes come with bugs that get fixed a few days after
| open-pull-requests-limit: 999 | ||
| ignore: | ||
| - dependency-name: '*' | ||
| update-types: ['version-update:semver-major'] |
There was a problem hiding this comment.
i'd rather get notified of major updates, it may mean that this module needs to be updated for any breaking changes. but i'd rather get notified and have that option, than not know
| open-pull-requests-limit: 999 | ||
| ignore: | ||
| - dependency-name: '*' | ||
| update-types: ['version-update:semver-major'] |
There was a problem hiding this comment.
could you add a clause to only allow direct dependencies?
I am unsure on the amount of time dedicated to this package so I figured to ignore major version updates to not induce breaking changes (assuming the deps' maintainers follow proper semver).
There is a step 2 that can't be done via PR, but in the project
Settings>Code security and analysis, make sureDependency graphandDependabot version updatesare enabled at a minimum for dependabot to work (although I strongly recommend everything on that page to be enabled)