Proposition: Use Dependabot for dependency updates #3349
Comments
|
I totally agree with tomap. Hexo project has many repositories and they has many dependency packages. Especially, we have to confirm to breaking change, if update package. If we use dependabot, it will be save our maintenance cost. |
|
Ok, so not much reaction. I do not seem to have enough rigths to setup dependabot for hexo-util (or any hexo repo). |
|
No... I can't. I found this.
Maybe we can't install marketplace app. |
|
And this.
|
|
Perhaps if we ping @hexojs/founder team they will have permissions to add DependaBot. (Assuming they like the idea.) |
|
Cool idea. I will try to see if I can install dependabot to hexojs. Updates: I have installed dependabot to all hexojs repository with |
|
My inbox confirms, it worked 👍 |
|
@hexojs/core |
Hi,
I would like to propose that we use Dependabot for dependency updates
https://dependabot.com/
We have been doing a lot of dependency update lately, and it is very hard to keep track, and to keep up.
Dependabot will create the pull requests each time we have a dependency to update.
I tested it on a clone of hexo-util and here is the result: https://github.com/tomap/hexo-util/pulls
5 super nice pull requests, with the commit list between the two versions of the dependency
Dependabot will update those pull request to fix any conflict, and if there is an issue with the build, it will be up to us to fix it, of course
I propose we set it up on a single "minor" repo (like hexo-util) to start, and if we are satisfied with it, we can set it up on all repos, up to the main one : hexo
This is a proposition, to be discussed of course, with all maintainer
Thomas
PS: I started the discussion on gitter: https://gitter.im/hexojs/hexo
PS2: I contacted dependabot support, and they confirmed it's free for open source organizations
The text was updated successfully, but these errors were encountered: