Skip to content

Commit

Permalink
env/deps: remove greenkeeper.json, configure dependabot.yml (jaredpal…
Browse files Browse the repository at this point in the history 
…mer#846)

- Greenkeeper has shut down, Snyk has been incredibly annoying and can't
  be configured in the codebase (installed by Jared and could only be
  configured by Jared), so use native Dependabot now
  - GitHub acquired Dependabot a little over a year ago and it is what
    powers GitHub vulnerability updates

- set-up sensible defaults with YAML anchor/alias
  - to only make PRs weekly, not spam daily
  - to only make PRs for deps, not devDeps
  - to only increase version when necessary, not for every patch and
    minor bump when a dep isn't pinned anyway
  - to use "deps:" prefix similarly to what I use

- set-up Dependabot to ignore /website entirely, for dep upgrades and
  vulnerabilities, as it is not a published package and doesn't really
  have an attack surface area
  - should only be updated as needed, not whenever a dep is upgraded

- temporarily ignore "/" as well because it's currently being updated so
  don't want duplication spam
  - but leave security PRs on, only dep upgrades off
  • Loading branch information
@agilgur5 @paul-vd
agilgur5 authored and paul-vd committed Dec 1, 2020
1 parent d1c6084 commit 5954133
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 10 deletions.
33 changes: 33 additions & 0 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
version: 2

# default configuration
defaults: &defaults
package-ecosystem: npm
directory: '/'
schedule:
interval: weekly # don't spam daily
# only increase version when required, don't bump every patch or minor
versioning-strategy: increase-if-necessary
allow:
# only upgrade prod deps (not devDeps)
- dependency-name: '*'
dependency-type: production
commit-message:
prefix: 'deps:' # prefix commit with deps: for consistency

updates:
# configuration for /
- <<: *defaults
# temporarily disable dep upgrade PRs for / as they're being updated
open-pull-requests-limit: 0

# configuration for /website
- <<: *defaults
directory: /website
# /website is not a published package and doesn't really have an attack
# surface area, should only be updated as needed, not as soon as deps change
ignore:
# no security PRs for /website
- dependency-name: '*'
# disable dep upgrade PRs for /website
open-pull-requests-limit: 0
10 changes: 0 additions & 10 deletions greenkeeper.json
View file

This file was deleted.

0 comments on commit 5954133

Please sign in to comment.