Add dependabot config #31
Conversation
|
@HighCommander4 now that we're mostly up to date, this can be considered to help keep us there. |
|
@HighCommander4 mind having a look? low hanging fruit here. |
|
Question: does dependabot distinguish between dependency updates in the following categories: A. Updates that fix security vulnerabilities My reason for asking is that I'd like updates in category A, but not updates in category B. I could go either way on updates in category C (I would probably pass on them if given the choice, since they could still introduce regressions, but if e.g. there's no way to distinguish between A and C then I'd take them). |
|
There are a lot of configuration knobs but in general dependabot can't know which update breaks API and which doesn't. You can specify which updates you want in terms of semver - that's about it. My suggestion is to start with this and customize as we go. |
That sounds like it should be sufficient for excluding API-breaking updates, since updates that break API need to bump the major version in semver. So, can we configure it to exclude major version bumps, e.g. something like this? |
|
Yes, we can - but are you sure that's what you want? Some portion of even those updates will be OK as they won't break APIs we actually use. |
Speaking only for what I'm personally willing to take on as a maintainer: yes. I'm fine with monthly PRs that update dependencies but do not require updating API usage. I do not have the bandwidth to deal with potentially having to update API usage on a monthly cadence. If another maintainer (such as @hokein) is willing to take on the latter, or if you're interested in becoming a maintainer and taking that on, we could take a different course of action. |
|
I'd be willing to help with maintenance. |
This will batch all updates into a single PR once a month.
|
Gentle ping on this. |
This will batch all updates into a single PR once a month.