feat: add dependabot for this project for minor and patch updates for nuget packages and github actions

[wmundev]

Changes

• add dependabot for this project for automatic minor and patch updates
  • for nuget packages
  • github actions

See examples PR on what will be raised in this repository

• build(deps): bump the phonenumbers_test_minor_patch_updates group in /csharp/PhoneNumbers.Test with 2 updates twcclegg/libphonenumber-csharp#242
• build(deps): bump the phonenumbers_extensions_test_minor_patch_updates group in /csharp/PhoneNumbers.Extensions.Test with 2 updates twcclegg/libphonenumber-csharp#243
• build(deps): bump actions/setup-dotnet from 3 to 4 twcclegg/libphonenumber-csharp#227

hope that helps!

[Romfos]

Teams members of NSubstitute are very conservative about update dependencies...

I have 2 questions:

1. Do we want to have dependabot with update proposals? cc @nsubstitute team
2. Do we want to have this gigantic config or better to use something simple like:

version: 2
updates:
  - package-ecosystem: "nuget"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 5

?

Thank you

[dtchepak]

Thanks for this!

1. Do we want to have dependabot with update proposals? cc @nsubstitute team

What are the possible impacts to users here? Not sure if any of these are legitimate concerns these days, but previously we've had cases like:

• a package version drops support for a platform or adds a new dependency that means users on older platforms have issues using the version
• Unity requiring specific versions of libs

The other consideration is what we're gaining by updating these dependencies. I think the motivations are a bit different between test-only code and production code. If a project using NSub wants a different dep version they can specify this, but iirc there isn't an easy way to force a previous version if it is required for some reason.

Again, not sure if any of these are legitmate concerns, but thought it would be worth clarifying.

2. Do we want to have this gigantic config or better to use something simple like: ...

I much prefer the simpler version! ❤️

[wmundev]

if i could help out in this discussion, if you are worried around certain packages needing to be pinned to a specific version, you can do the following, e.g. what i have done in my project is as follows

      other_minor_patch_updates:
        exclude-patterns:
        - "@fastify*"
        - "fastify"
        - "@sentry*"
        update-types:
        - "minor"
        - "patch"

this excludes any npm packages starting with @fastify or called fastify or starting with @sentry

dependabot will then exclude it from any pr opened by it in that group you specify

also another potential issue with removing "groups" in the config is that dependabot will open a PR For each package, which means your repository will potentially get spammed with a lot of PRs

[dtchepak]

if you are worried around certain packages needing to be pinned to a specific version,

I'm less worried about packages NSub uses, and more about requirements that projects that use NSubstitute require. (example)

I'm probably being overly conservative with this. 🤔