chore: add Dependabot for dependency updates #6325
Conversation
|
This doesn't need configuration from the admin, yeah? I haven't used Dependabot since around the time it was integrated into GH. Also, we can go even less frequently than that (e.g. biweekly). I would investigate the actual configuration. |
|
Monthly is the max right now https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#scheduleinterval |
|
I don't believe any admin setup is required with the config file now, but it was in the past when it was done through the separate app |
|
✔️ [V2] 🔨 Explore the source changes: 37a1a14 🔍 Inspect the deploy log: https://app.netlify.com/sites/docusaurus-2/deploys/61dfce0cc8fb610008b4cedb 😎 Browse the preview: https://deploy-preview-6325--docusaurus-2.netlify.app |
|
⚡️ Lighthouse report for the changes in this PR:
Lighthouse ran on https://deploy-preview-6325--docusaurus-2.netlify.app/ |
There was a problem hiding this comment.
Overall I don't like Dependabot and I use Renovate for my projects, because Dependabot has no batch-updates and ends up sending 3 PRs to upgrade one monorepo (e.g. ts-eslint) which creates huge noise in our history. It also usually means waiting for Dependabot to resolve conflicts after merging every PR. But... seems we haven't progressed much with integrating Renovate.
I would leave the decision to @slorber
Co-authored-by: Nick Schonning <nschonni@gmail.com>
Josh-Cena
added
the
pr: maintenance
|
@nschonni Is there a way for us to ignore certain lockfiles and only update the one at the root? I noticed that dependabot opens four PRs at a time because we have three example packages that aren't supposed to be modified |
|
This one is only pointing to the root package/yarn.lock right now. To pick up nested ones, that would be separate entries in the config (like for the |
|
Oh, I see. That sounds good |
|
Until we set up Renovate, that seems reasonable to use this bot for now as I don't need to ask Joel to set up anything. Will we get flooded with a lot of immediate PRs just after the merge? |
We probably will, considering the size of our yarn.lock... Let's do a manual relock first, shall we? |
|
Yes, I'm doing one right now |
|
Did one myself as well, noticed a few type incompatibilities, probably the |
|
👍 let's give it a try |
|
Oh, forgot to configure the Dependabot PR labels :D |
|
No, actually, we don't want Dependabot to add labels: that's too much noise in our changelog. The default ones are fine |
Motivation
As discussed in #3552
Maybe you want to go with Renovate Bot in the longer term, but at least this would get something going.
Kept updates to weekly to reduce some of the noise, but maybe you want to increase it to monthly and just use the manual trigger on the Insights tab to trigger manually
Have you read the Contributing Guidelines on pull requests?
Yes
Test Plan
N/A
Related PRs
(If this PR adds or changes functionality, please take some time to update the docs at https://github.com/facebook/docusaurus, and link to your PR here.)