-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use dependency bot #40
Comments
I believe Github also offers Dependabot?
…On Tue, Dec 12, 2023 at 4:58 AM Vìncent Le Goff ***@***.***> wrote:
Currently we are maintaining a set of libraries which have dependencies.
Maintaining everything up to date and out of security vulnerability would
be quite a mess to do it manually.
I suggest we use Renovate <https://docs.renovatebot.com/> which supports
all the language we support.
wdyt?
—
Reply to this email directly, view it on GitHub
<#40>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/A7F2PF4M6W5CVYBM7IOWCODYJBIGDAVCNFSM6AAAAABARNXOLCVHI2DSMVQWIX3LMV43ASLTON2WKOZSGAZTONZQGE3TAMQ>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
*Jorge Vivas*
Staff Engineer
*Growth & Core*
lob.com
<http://www.lob.com>
|
dependabot doesn't offer simple strategies regarding to multi languages / grouping etc. |
Appreciate the explanation...
You are right, I forgot about the multi-language support from dependabot.
I am not opposed to try it out.
…On Tue, Dec 12, 2023 at 8:46 AM Vìncent Le Goff ***@***.***> wrote:
dependabot doesn't offer simple strategies regarding to multi languages /
grouping etc.
Renovate is simpler and more performant from my experience. Easy to setup
and offer a simple dashboard also.
One example of what we built at Kong :
https://github.com/Kong/public-shared-renovate
—
Reply to this email directly, view it on GitHub
<#40 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A7F2PF2XK54WYL6DEZYAGM3YJCC7ZAVCNFSM6AAAAABARNXOLCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJSGQYTQNBVGI>
.
You are receiving this because you commented.Message ID:
***@***.***>
--
*Jorge Vivas*
Staff Engineer
*Growth & Core*
lob.com
<http://www.lob.com>
|
I'm up for either. No strong opinion either way. |
@zekth, I don't remember, did we manage to set it up? I remember we had issues. |
I ll have a retry run but it was acting weirdly. I think we can setup dependabot in backup solution but renovate is more convenient. |
@zekth, I think it's maybe still too aggressive? Should we maybe only tell it to upgrade on security issues? |
We were really out of date on many deps, i created one PR to adress the grouping of javascript which is mostly the most noisy ecosystem: #96 Currently the configuration ignores the |
Currently we are maintaining a set of libraries which have dependencies.
Maintaining everything up to date and out of security vulnerability would be quite a mess to do it manually.
I suggest we use Renovate which supports all the language we support.
wdyt?
The text was updated successfully, but these errors were encountered: