Skip to content

Add dependabot #433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 1, 2023
Merged

Add dependabot #433

merged 2 commits into from
Mar 1, 2023
+6 −0

Conversation

lucacome
Copy link
Contributor

Adds dependabot to automate GitHub workflows and go dependencies updates.

@lucacome
Add dependabot
c3af33b 
Signed-off-by: Luca Comellini <luca.com@gmail.com>
@lucacome
Copy link
Contributor Author

@roidelapluie I can also help merge these dependencies PRs once this is merged 🙂

@mmorel-35 mmorel-35 mentioned this pull request Feb 23, 2023
Closed
@bboreham
Copy link
Member

In my view, dependabot should be used in programs and not in libraries.

Updating dependencies of this library does nothing to update programs that use it, until they need a new feature from this library, and then they are forced to update whatever this library says. Libraries should not be in the business of forcing updates.

@lucacome lucacome mentioned this pull request Feb 24, 2023
Closed
@lucacome
Copy link
Contributor Author

@bboreham I'm not sure what you mean. This library uses dependencies that need to be kept updated to get bug fixes and more importantly CVEs fixes.

@bboreham
Copy link
Member

I mean this has no practical benefit.
Only the dependencies built into programs (executables) matter. Changing this library does not affect any programs, unless they separately decide to update. So let’s let them do that and avoid the clutter here.

@SuperQ
Copy link
Member

SuperQ commented Feb 25, 2023

@bboreham In the Go ecosystem, it does matter, as downstream Go mod takes module versions included here as part of the update tree.

We already have dependabot on prometheus/client_golang.

SuperQ
SuperQ requested changes Feb 25, 2023
View reviewed changes
@mmorel-35
Copy link
Contributor

Don’t forget sigv4 submodule

@bboreham
Copy link
Member

Downstream only takes an update if they specifically decide to update this library. It’s either a no-op or an accident, and I don’t want to promote either.

I’m fine with removing dependabot from all Prometheus libraries.

@SuperQ
Copy link
Member

SuperQ commented Feb 25, 2023

Except that's not how Go mod works in practice for indirect dependencies. It's not a noop or an accident, it's a core of how Go modules work. It doesn't matter if it's a library or an end-user binary repo. We need to maintain the versions we depend upon here. Automating it is necessary for maintainer sanity.

@bboreham
Copy link
Member

You are suggesting dependabot doesn’t work for indirect dependencies?

@SuperQ
Copy link
Member

SuperQ commented Feb 25, 2023

Nope, dependabot will not update indirect unless it's for a security vulnerability.

@lucacome @SuperQ
Apply suggestions from code review
569c9c3 
Co-authored-by: Ben Kochie <superq@gmail.com>
Signed-off-by: Luca Comellini <luca.com@gmail.com>
@SuperQ SuperQ requested a review from roidelapluie February 26, 2023 08:34
@SuperQ SuperQ merged commit ab87968 into prometheus:main Mar 1, 2023
@lucacome lucacome deleted the add-dependabot branch March 9, 2023 01:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kakkoyun kakkoyun

@SuperQ SuperQ

@roidelapluie roidelapluie

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@lucacome @bboreham @SuperQ @mmorel-35 @kakkoyun