Configure a Github native Dependabot #11281
Replies: 6 comments
-
@nimishbongale more context is needed. "Dependencies are a headache to manage." is a vague statement. What specific problem will this solve (and how)? |
Beta Was this translation helpful? Give feedback.
-
@bryevdv |
Beta Was this translation helpful? Give feedback.
-
Speaking from bokehjs' development perspective, this seems more work than it's worth, especially if this is going to complain about each package individually. My preferred approach is to run |
Beta Was this translation helpful? Give feedback.
-
@mattpap Right. We can alter the frequency at which dependabot generates these PR's as well, to one in a month or so. Maybe if that's still a bit complaintive, then its definitely not worth. I do agree on the fact that it since it raises individual PR's its a bit of a hassle. |
Beta Was this translation helpful? Give feedback.
-
I don't have a feel for how many packages might typically get a bump if this ran once a month, which is really what matters I think. E.g. if it's going to dump 5 or 10 individual PRs a month every month that that is too big a burden to make the automatic checking worthwhile. @nimishbongale you mentioned having configured this on your fork, can you relate what the update "rate" has been like? Maybe we could just let it run on a fork for a few months to get some actual data points about how much work it creates. |
Beta Was this translation helpful? Give feedback.
-
@bryevdv Yes. Maybe we could do that. From the moment it was configured, it has put up 5 PR's to do with npm dependencies. I believe Dependabot sends up to a maximum of 5 PR's for the chosen time frame. However, It is also up to us to configure how many PR's we want it to raise, and it ranks dependencies based on priority before suggesting them. There's an |
Beta Was this translation helpful? Give feedback.
-
Is your feature request related to a problem? Please describe.
Dependencies are a headache to manage in any project. Since open source projects depend on other libraries and tools, it becomes a necessity to stay up to date. At the same time we must ensure that a dependency upgrade does not break our code. Regular updates may need an automated setup to get the best results. Up until now, dependabot had a plug and play version which supported security version updates. Now, after dependabot has moves to github natively, we could leverage its immense potential by configuring it for bokeh.
Describe the solution you'd like
Configure a Github native Dependabot to do the same for us.
Additional context
Beta Was this translation helpful? Give feedback.
All reactions