-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider making the duplicate package check optional #26262
Comments
If the original intention has changed, it would be good to track what is needed to remove a duplicate instead of tracking what caused it. Lines 28 to 56 in e69adfd
|
To reduce confusion, please be aware that I suggested to have a manual check that could be run once a month to file upstream bugs. Current bureaucracy mainly serves instant visibility instead of upgrades. Dependencies are liabilities and if they are not sufficently maintained, they should be forked or removed. The worst stories of NPM craziness should not repeated with Cargo. I ran
|
I'm -100 on removing that check. You say those duplicates are temporary, but most often they aren't. |
Also don't go around calling things "dark patterns", that's a bit out of place, IMO. |
From my current understanding, I think the duplicate package check of servo tidy (#7133, #14695, #19306) is today rather a dark pattern that could prevent fixing regular and security bugs (#15989 (comment)). Dependabot removes duplicates by upgrading all dependencies step by step. I think this check should be changed into an optional command that can be run manually if one wants to notify external repositories like surfman and gfx-rs to keep their dependencies up to date - as long as they haven't adopted dependabot as well. It is used all across Mozilla and will become a built-in feature of GitHub: https://github.com/pulls?q=is%3Apr+author%3Aapp%2Fdependabot-preview+org%3Amozilla
The text was updated successfully, but these errors were encountered: