front: re-enable dependabot for direct dependencies #8990
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
isn’t there a way to batch all the bumps into one single PR, like every week one big bump PR with all the new cool stuff? |
woshilapin
approved these changes
Sep 25, 2024
emersion
force-pushed
the
emr/reenable-dependabot
branch
from
ba4ca12 to
bd0ec98
Compare
|
Switched to weekly updates grouped in a single PR. |
|
If it's a single weekly PR, maybe we can re-enable updates for transitive dependencies. |
Khoyo
approved these changes
Sep 25, 2024
anisometropie
approved these changes
Sep 25, 2024
I’d say go for it |
In #2969, dependabot got disabled because it was too spammy. However, disabling dependency updates makes us fall behind pretty hard and makes version upgrades quite painful. Instead of gradually integrating new dependency upgrades and finding bugs as they arise, we're forced to make a huge commit upgrading many packages at once. Regressions are harder to narrow down and humans have to remember and volunteer to perform this unrewarding upgrade task. As a middle ground, re-enable dependabot but group all updates in a single weekly PR. This should make it less spammy than getting one PR per dependency upgrade (transitive dependencies included), while at the same time allowing us to keep up with new versions of libraries we're using. Signed-off-by: Simon Ser <[email protected]>
emersion
force-pushed
the
emr/reenable-dependabot
branch
from
bd0ec98 to
4b00d76
Compare
|
Alrighty |
flomonster
approved these changes
Sep 25, 2024
Wadjetz
approved these changes
Sep 25, 2024
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In #2969, dependabot got disabled because it was too spammy. However, disabling dependency updates makes us fall behind pretty hard and makes version upgrades quite painful. Instead of gradually integrating new dependency upgrades and finding bugs as they arise, we're forced to make a huge commit upgrading many packages at once. Regressions are harder to narrow down and humans have to remember and volunteer to perform this unrewarding upgrade task.
As a middle ground, re-enable dependabot updates for direct dependencies only, and group all updates in a single weekly PR. This should make it less spammy than enabling it for all dependencies (transitive dependencies included), while at the same time allowing us to keep up with new versions of libraries we're using.