Use a single PR for updates with the same GroupId and Version #2121
Comments
|
Interesting. Any reason you're not using a property for these? |
|
I can try using a property for these, but until now it wasn't necessary to do so. For manual dependency updates it was sufficient to just have the dependencies in question declared adjacent to each other so it would be obvious to a human that these belong together and should be updated simultaneously. What kinds of properties and property replacement does dependabot support for gradle? dependencies {
compile "org.springframework:spring-beans:$springVersion"
compile "org.springframework:spring-context:${springVersion}"
compile "org.springframework:spring-web:" + springVersion
} |
|
Dependabot can support the top two formats but not the bottom one (it's regex based for Gradle). I think having Dependabot try to automatically determine groups based on groupId and version would be nice, but could only happen after it's configurable more generally, otherwise it could cause problems! |
|
I think introducing a property for a version number shared by multiple dependencies only makes sense if the dependency declarations are spread over different places and/or if there are many of them. For small groups of dependencies (2 or 3) which are declared directly adjacent to each other it seems exaggerated to me to introduce a separate property just to hold the version number.
Is there any way I can see which exact dependencies have been found in projects so I can make sure dependabot monitors all of them? |
Not at the moment, but we're planning to use Dependabot's parsers to power parsing for GitHub's dependency insights page. Once we start doing that you'll be able to view the results within GitHub. |
|
The Issue's name catches me here. I've hat this scenario:
I kinda figure it to be way much more nicer to just re-use the old PR and update that and it's name to match the updated version. |
|
Similar to: |
infin8x
added
F: noise
|
pls check this #1618 (comment) which works for me |
jeffwidman
added
the
F: grouped-updates 🎳
|
Solving this for all edge cases really requires leveraging a native helper: |
|
I get that you want them to all be bumped in a single PR, but which of the following is true:
1️⃣ is tracked in the generic sense in: 2️⃣ is tracked in: Also possibly related: |
|
@jeffwidman There are a lot of different issues related to this, but they all basically come down to the same underlying frustration with dependabot - it creates a lot of "noise" because virtually every version of every dependency gets its own individual PR. The value of dependabot is that it automates the process of checking for available updates and creating PRs when new updates are available. However, those PRs are not grouped or managed the way a human would do it if given the same job, so dependabot ends up adding a lot of additional overhead in now managing all of those individual PRs. This problem is much worse in ecosystems like javascript where even relatively small projects have a large number of dependencies which get updated very regularly and where many are logically grouped together. In addition to being frurstrating to manage them all, it can quickly blow up your CI costs if you run CI on your dependabot PRs. Currently, the only solutions to this problem are to (a) manage all of these various PRs manually, or (b) to set up custom scripts to manage all the dependabot PRs after-the-fact (e.g. https://github.com/github/combine-prs). Managing them all manually gets frustrating pretty quickly. Using custom scripts works okay, but adds another layer of code to maintain and demotes dependabot to an alerting system only and can break frequently because of merge conflicts. In order to solve this more fundamental problem, dependabot requires 2 major changes. The first is to allow multiple directories for the same ecosystem. The second is to add a new version: 3
updates:
- package-ecosystem: "npm"
directories:
- "/web"
- "/api"
- "/docs"
schedule:
interval: "weekly"
groups:
react:
- dependency-name: "react*"
eslint:
- dependency-name: "eslint*"
- dependency-name: "@typescript-eslint*"
other-development:
- dependency-type: "development"The above would put any dependency (across all three directory) which starts with "react" in the same PR and reuse that PR as other dependencies/versions are added (as long as it is still open). Matching can be done in order (so "other-development" only matches if the first 2 didn't match) and anything which doesn't match any of the defined groups would work the same way it does now. I know that this would be significant change to some core dependabot functionality but it would singlehandedly address a large number of existing issues and make dependabot more flexible and configurable. |
|
I really like how @mwaddell's suggestion above (Ref) puts the 'control of grouping' back on us as individual developers, which IMO would remove a lot of the 'effort' of trying to figure out the correct groupings for everyone that uses dependabot in a more generic case. And then later, any public repo's can be data-mined for their dependabot grouping configs to build up a 'database' of the most common groupings, that could then be used to improve the 'default smarts' of dependabot (or suggest groupings for users to include in their own config; which itself could potentially be implemented as a dependabot PR suggesting changes to it's own config, to still 'keep a human in the loop') |
I'ts mostly 2, but a bit of 1 could happen. Technically, Gradle would be fine with them being declared with different versions. But dependencies which are essentially different modules published by the same project have a high chance of being interdependent. There is no easy way to 100% correctly determine, which dependencies should be bumped together, but multiple dependencies having the same groupId, the same current (old) version and the same new target version should be a reasonably good heuristic. I'm not sure if I like the idea of having to declare all dependency groups manually. First, because I'm lazy and don't want to spend my time configuring dependabot for all my repositories, and second because potentially thousands of repositories would need to declare the same groupings over and over. If you don't like to use a heuristic here it might be the better option to have a static list of groups inside dependabot itself. |
|
Update: We've started doing some grouped updates work! This particular issue might not be part of the first ship but if you want to track our updates, do follow #1190. |
|
Just wanted to pop in from the Dependabot team to mention that we have configurable grouping rules in public beta, which should solve this problem! You can see the docs on how to set these up here: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups If you have any feedback, please feel free to email me at |
@carogalvin It would be nice if dependabot closed the old individual PRs when it created the combined one. It's a little confusing that when you close them manually you get the "I won't notify you" alert but it is still tracking them in the other PR... |
|
Closing this out as we've officially released grouped version updates; please feel free to reopen or reach out if there are more questions or feedback. |
This is a special case of:
I have multiple dependencies pointing to different submodules of the different overall project:
When Version 5 becomes available all of these dependencies should be updated in one atomic PR.
Some real world examples:
com.squareup.retrofit2from 2.5.0 to 2.6.1io.freefair.gradlefrom3.7.4to3.8.1The text was updated successfully, but these errors were encountered: