Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce Dependabot PR noise for NPM package ecosystem #66

Merged
merged 1 commit into from
Dec 12, 2020
Merged

Reduce Dependabot PR noise for NPM package ecosystem #66

merged 1 commit into from
Dec 12, 2020

Conversation

svengreb
Copy link
Owner

Resolves #65

@svengreb svengreb added this to the Next milestone Dec 12, 2020
@svengreb svengreb self-assigned this Dec 12, 2020
@svengreb
Reduce Dependabot PR noise for NPM package ecosystem
22ecca6 
To reduce the noise of too many PRs from NPM dependencies, where most of
them are only scoped for (local) development, two optimizations have
been made:

1. The schedule changed to the `monthly` interval [1].
   This is still enough to keep up with the fast updates in the NPM
   ecosystem.
2. Only watch production packages (`dependencies`) and ignore
   development packages (`devDependencies`).
   The packages used for local or CI/CD development purposes are not
   required to be the latest version just for the sake of being
   up-to-date without a specific need or benefit.

Since GitHub takes security really serious [2], important Dependabot
security updates [3] are triggered manually by a security advisor so
there is no risk of missing important versions bumps when reducing the
schedule interval.

  "Use the `allow` option to customize which dependencies are updated.
  This has no impact on security updates for vulnerable dependencies."

[1]: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates#scheduleinterval
[2]: https://github.com/security
[3]: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-dependabot-security-updates

GH-65
@svengreb svengreb force-pushed the improvement/gh-65-reduce-depbot-pr-noise-npm-ecosys branch from 21f144d to 22ecca6 Compare December 12, 2020 11:21
@svengreb svengreb merged commit 32925a1 into main Dec 12, 2020
@svengreb svengreb deleted the improvement/gh-65-reduce-depbot-pr-noise-npm-ecosys branch December 12, 2020 11:29
@svengreb svengreb removed their assignment Dec 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
context-techstack context-workflow scope-dx scope-maintainability scope-quality scope-security scope-stability target-base type-improvement
Projects
None yet
Milestone
0.8.0
Development

Successfully merging this pull request may close these issues.

Reduce Dependabot PR noise for NPM package ecosystem
1 participant
@svengreb