-
-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: configure Dependabot #231
base: main
Are you sure you want to change the base?
Conversation
Hi @yeikel and thank you very much for this PR! Unfortunately, Dependabot creates a lot of noise and the security analysis method it uses is broken by design. These are the dependencies that this action currently uses in builds and that run in containers: action-semantic-pull-request/package.json Lines 25 to 31 in ff373f4
We've recently updated all dependencies in the project. My current perspective is that the load of pull requests that Dependabot creates, causes much more trouble than what we gain from it. Something like a quarterly dependency update where the relevant dependencies are checked in detail seems more useful to me. If there is some configuration option for Dependabot where it creates a PR once every 3 months where it updates all dependencies in one batch, I think this could be a good compromise. What do you think? |
Dependabot keeps dependencies up to date in general and it is not only concerned about security upgrades. I think that it is important to keep dependencies up to date in general to get notified about new features and enhancements as well as be informed about deprecations and breaking changes as they happen. This is crucial to save development time as I personally find smaller upgrades easier to manage. Generally, I think that waiting 3-4 months to update dependencies is not desirable in general and more so when new versions might come with bug fixes (or security upgrades). it is important to note that dependabot also leverages Github Security Advisories
Dependabot does not support this. The best we have is In general, it is a good practice to avoid bundling unrelated dependency upgrades together because it complicates reverts if they are needed. Small changes are usually better in general in my experience |
I understand your perspective. I'd absolutely love a workflow with Dependabot where I'm alerted immediately if a dependency is used in a way that poses a security risk—please don't get me wrong. Unfortunately, as outlined in the blog post I've mentioned above, this is rarely the case. I'm sure your situation is similar, but I only have limited time and I can't afford to keep up with a lot of updates that will likely not change anything meaningful for the project. These are the options I currently see:
What do you think? |
Hi @amannn, I do agree that dependabot can be quite noisy, but having the latest set of dependencies tend to reduce the surface area of problems that can come up over time. Would you be interested in changing the interval to something like |
Thanks for chiming in @vyas-n! Monthly sounds better, but grouped updates would be a requirement from my side. Seems like the feature is in public beta now, so maybe we can add this soon! |
Grouped updates are now available. |
To keep our dependencies up to date and secure
See #225 to see why this is needed
See it in action : https://github.com/yeikel/action-semantic-pull-request/pulls