New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve dependabot experience #1823
Comments
To cut down on the number of PRs opened, have dependabot group all the updates for a component in a single pull request. Refs #1823.
I like your first idea (about the one lock file, and multiple groups), but mostly feel extremely appreciative that you are taking this on in any form. |
We're currently stalled on applying most dependabot updates because the new semgrep version requires a new major version of urllib3, which it bumps despite it also being a prod dependency. I can't find any knobs in dependabot to prevent this case from happening (aside from excluding semgrep entirely), so either we back out the semgrep update or just keep waiting until the proxy v2 stuff lands, which has the nice side effect of removing urllib3/requests from prod dependencies. |
This is now available so I've opened #2018. We've also landed proxy v2 so the previous issue with dev deps bringing in prod updates is less likely to happen. As such, I've marked #2018 to close this issue. |
Currently dependabot opens a PR for each individual package in each component, creating a giant spam of updates that is IMO unmanagable.
I'll at least start with grouped updates since that's officially supported and will cut down on the package spam.
The text was updated successfully, but these errors were encountered: