You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The OpenAPI generator generates old versions of dependencies, like in 879ea78.
Then dependabot comes along in PRs like #3631 and upgrades them.
To avoid this:
PR authors can manually undo the OpenAPI generator's changes to these dependency versions. This is a pain.
We could automatically undo changes to these files in the script that calls the OpenAPI generator. This will cause us to miss real dependency updates if there ever are any.
We could disable dependabot on these files. I'm not sure why dependabot is running on them in the first place, since we have
# Look for `package.json` and `lock` files in the `root` directory
directory: "/"
but adding new sections with directory: gen/js/chromestatus-openapi and directory: gen/py/chromestatus-openapi will hopefully let us ignore updates to those packages. This has the risk that it could leave vulnerable versions around, but it doesn't look like the dependencies of these libraries actually affect the versions installed for the main program.
What do y'all prefer?
The text was updated successfully, but these errors were encountered:
The OpenAPI generator generates old versions of dependencies, like in 879ea78.
Then dependabot comes along in PRs like #3631 and upgrades them.
To avoid this:
chromium-dashboard/.github/dependabot.yml
Lines 6 to 8 in 2b84744
directory: gen/js/chromestatus-openapi
anddirectory: gen/py/chromestatus-openapi
will hopefully let us ignore updates to those packages. This has the risk that it could leave vulnerable versions around, but it doesn't look like the dependencies of these libraries actually affect the versions installed for the main program.What do y'all prefer?
The text was updated successfully, but these errors were encountered: