Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: enable Dependabot updates #3697

Closed
wants to merge 1 commit into from
Closed

chore: enable Dependabot updates #3697

wants to merge 1 commit into from

Conversation

rui-rayqiu
Copy link
Contributor

Details

First try on enabling Dependabot for weekly automatic dependency updates.

Does this pull request introduce a breaking change?

  • ✅ No, it does not introduce a breaking change.

Does this pull request introduce an observable change?

  • ✅ No, it does not introduce an observable change.

GUS work item

@rui-rayqiu rui-rayqiu requested a review from a team as a code owner September 2, 2023 00:24
@abdulsattar
Copy link
Contributor

/nucleus test

abdulsattar
abdulsattar reviewed Sep 7, 2023
View reviewed changes
Copy link
Contributor

@abdulsattar abdulsattar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a few dependencies that we don't update like prettier and some resolutions like jasmine-core, semver. Can we do something about them?

.github/dependabot.yml
schedule:
interval: "weekly"
# Create a group of dependencies to be updated together in one pull request
groups:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need all these groups?

nolanlawson
nolanlawson reviewed Sep 14, 2023
View reviewed changes
.github/dependabot.yml
# Create a group of dependencies to be updated together in one pull request
groups:
# Specify a name for the group, which will be used in pull request titles and branch names
wdio-deps-udpate:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typo here and elsewhere: udpate instead of update.

@nolanlawson
Copy link
Contributor

nolanlawson commented Sep 14, 2023
edited

There are a few dependencies that we don't update like prettier and some resolutions like jasmine-core, semver. Can we do something about them?

We can't fix this without a lot of churn. For now, we should

  1. Search through all the package.json files for // comments
  2. Find all dependencies that must be pinned, such as jasmine-core and prettier
  3. Add them to the ignore list

For semver, which uses the yarn "resolutions", there is apparently nothing we need to do:

Dependabot cannot increase the version in the resolutions field. However it respects the value in the resolutions field when it bumps a dependency.

@nolanlawson
Copy link
Contributor

Superseded by #4130. Incidentally a lot of things have changed in the past ~6 months so we don't need to pin as many dependencies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abdulsattar abdulsattar abdulsattar left review comments

@nolanlawson nolanlawson nolanlawson left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rui-rayqiu @abdulsattar @nolanlawson