Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maintenance: fine tune Dependabot configuration #1858

Closed
1 of 2 tasks
am29d opened this issue Jan 9, 2024 · 4 comments · Fixed by #1862, #1917, #1935 or #1968
Closed
1 of 2 tasks

Maintenance: fine tune Dependabot configuration #1858

am29d opened this issue Jan 9, 2024 · 4 comments · Fixed by #1862, #1917, #1935 or #1968
Assignees
@am29d
Labels
automation This item relates to automation completed This item is complete and has been merged/shipped internal PRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.)

Comments

@am29d
Copy link
Contributor

am29d commented Jan 9, 2024

Summary

We have added Dependabot recently with a broad configuration. We now need to fine tune the dependencies that require an exception or have a specific case, i.e. no upgrade, only major/minor versions. The knowledge about this dependencies was not documented previously.

Why is this needed?

This is needed to document dependency management exceptions, what is pinned what can be upgraded. This will also scope down dependabot for the project specific updates and upgrades.

Which area does this relate to?

No response

Solution

No response

Acknowledgment

Future readers

Please react with 👍 and your use case to help us understand customer demand.
@am29d am29d added triage This item has not been triaged by a maintainer, please wait internal PRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.) labels Jan 9, 2024
@am29d am29d self-assigned this Jan 9, 2024
@am29d am29d added automation This item relates to automation and removed triage This item has not been triaged by a maintainer, please wait labels Jan 9, 2024
@am29d am29d moved this from Triage to Working on it in Powertools for AWS Lambda (TypeScript) Jan 9, 2024
@heitorlessa
Copy link
Contributor

Quick example for groups to fine tune dependencies you don't want major versions, or want to explicitly ignore like middy.

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#specifying-dependencies-and-versions-to-ignore

@dreamorosi
Copy link
Contributor

On the top of my head, I think:

  • middy should be locked to minor version in the current major only
  • all AWS CDK related dependencies (including alpha packages and CLI) in testing, layers, examples/cdk, etc. should be grouped
  • all AWS SDK related dependencies, together with the AWS SDK mock ones (in idempotency and parameters) should be grouped together

For all other dev dependencies, and specifically the ones in the main package.json file, we'll have to be careful especially in those cases where major versions have dropped support for Node.js versions that we still must support (Node.js 16 mainly).

Overall however, except for the CDK related ones, most issues version issues should be caught in the PR CI, so this is a good change.

@heitorlessa
Copy link
Contributor

heitorlessa commented Jan 9, 2024 via email

@am29d am29d mentioned this issue Jan 9, 2024
Merged
9 tasks
@github-project-automation github-project-automation bot moved this from Working on it to Coming soon in Powertools for AWS Lambda (TypeScript) Jan 9, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 9, 2024

⚠️ COMMENT VISIBILITY WARNING ⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@dreamorosi dreamorosi mentioned this issue Jan 16, 2024
Merged
9 tasks
@dreamorosi dreamorosi linked a pull request Jan 18, 2024 that will close this issue
chore(deps): fix dependencies and dependabot config #1917
Merged
9 tasks
@dreamorosi dreamorosi mentioned this issue Jan 18, 2024
Merged
9 tasks
@dreamorosi dreamorosi linked a pull request Jan 25, 2024 that will close this issue
chore(maintenance): fine tune dependabot config #1935
Merged
9 tasks
@dreamorosi dreamorosi mentioned this issue Jan 25, 2024
Merged
9 tasks
@dreamorosi dreamorosi linked a pull request Jan 25, 2024 that will close this issue
chore(maintenance): group CDK cli with other CDK dependencies #1968
Merged
9 tasks
@dreamorosi dreamorosi moved this from Coming soon to Shipped in Powertools for AWS Lambda (TypeScript) Jan 26, 2024
@dreamorosi dreamorosi added the completed This item is complete and has been merged/shipped label Jan 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@am29d am29d

Labels
automation This item relates to automation completed This item is complete and has been merged/shipped internal PRs that introduce changes in governance, tech debt and chores (linting setup, baseline, etc.)
Projects
Powertools for AWS Lambda (TypeScript)
Status: Shipped
Milestone
No milestone
3 participants
@am29d @heitorlessa @dreamorosi