Migrate to native dependabot #657
Conversation
| versioning-strategy: increase | ||
| open-pull-requests-limit: 20 | ||
| allow: | ||
| - dependency-type: all |
There was a problem hiding this comment.
May I ask you if this is really necessary?
I fear that so many notifications just end up being trashed by everyone, even the ones that may have value been reviewed supervisioned.
What about direct only?
There was a problem hiding this comment.
I want for all dependencies to be as up-to-date as possible. There's tooling to auto-merge everything that passes CI so there's very little tracking to be done.
I do understand the concern around the volume of notifications there's also rate limiting happening sometimes... the trade-offs in play here is to ensure that development of the library works in the same way for everybody and that nobody has to update dependencies manually.
I'd love if dependabot would run things with composer require x -W to update the dependencies of our dependencies together with the changes being introduced but that's not the case now 😞
There was a problem hiding this comment.
(I do hate when symfony update their packages without releasing anything, though)
No description provided.