Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reduce Dependabot PR noise for NPM package ecosystem #65

Closed
svengreb opened this issue Dec 12, 2020 · 0 comments · Fixed by #66
Closed

Reduce Dependabot PR noise for NPM package ecosystem #65

svengreb opened this issue Dec 12, 2020 · 0 comments · Fixed by #66

Comments

@svengreb
Copy link
Owner

svengreb commented Dec 12, 2020

To reduce the noise of too many PRs from NPM dependencies, where most of them are only scoped for (local) development, two optimizations will be made:

  1. The schedule will be changed to the monthly interval. This is still enough to keep up with the fast updates in the NPM ecosystem.
  2. Only watch production packages (dependencies) and ignore development packages (devDependencies). The packages used for local or CI/CD development purposes are not required to be the latest version just for the sake of being up-to-date without a specific need or benefit.

Since GitHub takes security really serious, important Dependabot security updates are triggered manually by a security advisor so there is no risk of missing important versions bumps when reducing the schedule interval.

Use the allow option to customize which dependencies are updated. This has no impact on security updates for vulnerable dependencies.

@svengreb svengreb added this to the Next milestone Dec 12, 2020
@svengreb svengreb self-assigned this Dec 12, 2020
svengreb added a commit that referenced this issue Dec 12, 2020
To reduce the noise of too many PRs from NPM dependencies, where most of
them are only scoped for (local) development, two optimizations have
been made:

1. The schedule changed to the `monthly` interval [1].
   This is still enough to keep up with the fast updates in the NPM
   ecosystem.
2. Only watch production packages (`dependencies`) and ignore
   development packages (`devDependencies`).
   The packages used for local or CI/CD development purposes are not
   required to be the latest version just for the sake of being
   up-to-date without a specific need or benefit.

Since GitHub takes security really serious [2], important Dependabot
security updates [3] are triggered manually by a security advisor so
there is no risk of missing important versions bumps when reducing the
schedule interval.

  "Use the `allow` option to customize which dependencies are updated.
  This has no impact on security updates for vulnerable dependencies."

[1]: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates#scheduleinterval
[2]: https://github.com/security
[3]: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-dependabot-security-updates

GH-65
svengreb added a commit that referenced this issue Dec 12, 2020
To reduce the noise of too many PRs from NPM dependencies, where most of
them are only scoped for (local) development, two optimizations have
been made:

1. The schedule changed to the `monthly` interval [1].
   This is still enough to keep up with the fast updates in the NPM
   ecosystem.
2. Only watch production packages (`dependencies`) and ignore
   development packages (`devDependencies`).
   The packages used for local or CI/CD development purposes are not
   required to be the latest version just for the sake of being
   up-to-date without a specific need or benefit.

Since GitHub takes security really serious [2], important Dependabot
security updates [3] are triggered manually by a security advisor so
there is no risk of missing important versions bumps when reducing the
schedule interval.

  "Use the `allow` option to customize which dependencies are updated.
  This has no impact on security updates for vulnerable dependencies."

[1]: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates#scheduleinterval
[2]: https://github.com/security
[3]: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-dependabot-security-updates

GH-65
svengreb added a commit that referenced this issue Dec 12, 2020
To reduce the noise of too many PRs from NPM dependencies, where most of
them are only scoped for (local) development, two optimizations have
been made:

1. The schedule changed to the `monthly` interval [1].
   This is still enough to keep up with the fast updates in the NPM
   ecosystem.
2. Only watch production packages (`dependencies`) and ignore
   development packages (`devDependencies`).
   The packages used for local or CI/CD development purposes are not
   required to be the latest version just for the sake of being
   up-to-date without a specific need or benefit.

Since GitHub takes security really serious [2], important Dependabot
security updates [3] are triggered manually by a security advisor so
there is no risk of missing important versions bumps when reducing the
schedule interval.

  "Use the `allow` option to customize which dependencies are updated.
  This has no impact on security updates for vulnerable dependencies."

[1]: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates#scheduleinterval
[2]: https://github.com/security
[3]: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-dependabot-security-updates

Closes GH-65
@svengreb svengreb removed their assignment Dec 12, 2020
svengreb added a commit to svengreb/tmpl-go that referenced this issue Dec 12, 2020
Updated to "tmpl" version 0.8.0 [1] which reduces "Dependabot" PR noise
for the NPM package ecosystem [2].

[1]: https://github.com/svengreb/tmpl/releases/tag/v0.8.0
[2]: svengreb/tmpl#65

GH-45
svengreb added a commit to svengreb/tmpl-go that referenced this issue Dec 12, 2020
Updated to "tmpl" version 0.8.0 [1] which reduces "Dependabot" PR noise
for the NPM package ecosystem [2].

[1]: https://github.com/svengreb/tmpl/releases/tag/v0.8.0
[2]: svengreb/tmpl#65

Closes GH-45
svengreb added a commit to svengreb/golib that referenced this issue Dec 12, 2020
Update to "tmpl-go" version 0.6.0 [1] which reduces "Dependabot PR noise
for the NPM package ecosystem [2].

[1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.6.0
[2]: svengreb/tmpl#65

GH-16
svengreb added a commit to svengreb/golib that referenced this issue Dec 12, 2020
Update to "tmpl-go" version 0.6.0 [1] which reduces "Dependabot PR noise
for the NPM package ecosystem [2].

[1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.6.0
[2]: svengreb/tmpl#65

Closes GH-16
svengreb added a commit to svengreb/nib that referenced this issue Dec 12, 2020
Update to "tmpl-go" version 0.6.0 [1] which reduces "Dependabot PR noise
for the NPM package ecosystem [2].

[1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.6.0
[2]: svengreb/tmpl#65

GH-38
svengreb added a commit to svengreb/nib that referenced this issue Dec 12, 2020
Update to "tmpl-go" version 0.6.0 [1] which reduces "Dependabot PR noise
for the NPM package ecosystem [2].

[1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.6.0
[2]: svengreb/tmpl#65

Closes GH-38
svengreb added a commit to svengreb/wand that referenced this issue Dec 12, 2020
Update to "tmpl-go" version 0.6.0 [1] which reduces "Dependabot PR noise
for the NPM package ecosystem [2].

[1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.6.0
[2]: svengreb/tmpl#65

GH-58
svengreb added a commit to svengreb/wand that referenced this issue Dec 12, 2020
Update to "tmpl-go" version 0.6.0 [1] which reduces "Dependabot PR noise
for the NPM package ecosystem [2].

[1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.6.0
[2]: svengreb/tmpl#65

Closes GH-58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment