-
Notifications
You must be signed in to change notification settings - Fork 263
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot should only open PRs for meaningful updates #834
Conversation
Agreed. I did this on purpose temporarily to see where we had problem dependencies and where we did not. Once we have a v2 production release and then our dependencies upgrades have settled down, I would prefer that JS dependencies are grouped like our GitHub Actions are currently configured. |
Since I am the one who opened the pull request that introduced the Dependabot configuration (#688), I may at least in part be to blame for the current situation. However, in my pull request the limit was set so that Dependabot only opens at most ten pull requests at a time. In my experience that limit is a good way to make sure maintainers do not get overwhelmed by the sheer amount of incoming pull requests from Dependabot. Then somebody else increased the limit to 100, and as a result there are currently over 70 open Dependabot pull requests. That is a huge number, but something like that can unfortunately be expected. Until a week ago the latest commit on the One thing that helps in dealing with so much version updates is a comprehensive and automated test suite. |
The bigger problem is that none of the updates are meaningful regardless of how gradually you deal with them. In fact doing it gradually makes the problem far worse because you would have had to have done an update for every intermediate update. Test suite isn't relevant for the open PRs as none of them will affect users. |
Guilty.
I have less confidence than others.
Let's do that just after #739 is completely resolved and we are on a new production release. After that megamerge, we can group the JS updates just like #740.
How do we prove that? Thanks for your help on this. |
Because they don't edit |
Can we please merge this? Dependabot is clogging up the PR queue again PR #847 and everything after that should be closed as none of them have any meaningful effect. If we merge them they will clog the commit log with noise. Some of the earlier dependabot PRs may be nice to merge eventhough most of those also don't affect users. However, they will help keep our testing infrastructure updated by bumping packages to new major versions. I wouldn't object if those are closed, but feel they can potentially be worth it as doing major version upgrades can help keep things modernized. However, #847 and after are all minor/patch versions and should really be avoided because we simply can't have 4-5 new PRs opened every day |
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow:
This would be much better than our current config. Every single dependabot PR that's passing the CI currently looks to be just noise as none of them affect users and only affect our own lockfile. This makes it difficult to tell which PRs are actually meaningful as they're hidden amongst the ones with no impact.