-
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reduce Dependabot PR noise for NPM package ecosystem #65
Labels
Milestone
Comments
svengreb
added a commit
that referenced
this issue
Dec 12, 2020
To reduce the noise of too many PRs from NPM dependencies, where most of them are only scoped for (local) development, two optimizations have been made: 1. The schedule changed to the `monthly` interval [1]. This is still enough to keep up with the fast updates in the NPM ecosystem. 2. Only watch production packages (`dependencies`) and ignore development packages (`devDependencies`). The packages used for local or CI/CD development purposes are not required to be the latest version just for the sake of being up-to-date without a specific need or benefit. Since GitHub takes security really serious [2], important Dependabot security updates [3] are triggered manually by a security advisor so there is no risk of missing important versions bumps when reducing the schedule interval. "Use the `allow` option to customize which dependencies are updated. This has no impact on security updates for vulnerable dependencies." [1]: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates#scheduleinterval [2]: https://github.com/security [3]: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-dependabot-security-updates GH-65
svengreb
added a commit
that referenced
this issue
Dec 12, 2020
To reduce the noise of too many PRs from NPM dependencies, where most of them are only scoped for (local) development, two optimizations have been made: 1. The schedule changed to the `monthly` interval [1]. This is still enough to keep up with the fast updates in the NPM ecosystem. 2. Only watch production packages (`dependencies`) and ignore development packages (`devDependencies`). The packages used for local or CI/CD development purposes are not required to be the latest version just for the sake of being up-to-date without a specific need or benefit. Since GitHub takes security really serious [2], important Dependabot security updates [3] are triggered manually by a security advisor so there is no risk of missing important versions bumps when reducing the schedule interval. "Use the `allow` option to customize which dependencies are updated. This has no impact on security updates for vulnerable dependencies." [1]: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates#scheduleinterval [2]: https://github.com/security [3]: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-dependabot-security-updates GH-65
svengreb
added a commit
that referenced
this issue
Dec 12, 2020
To reduce the noise of too many PRs from NPM dependencies, where most of them are only scoped for (local) development, two optimizations have been made: 1. The schedule changed to the `monthly` interval [1]. This is still enough to keep up with the fast updates in the NPM ecosystem. 2. Only watch production packages (`dependencies`) and ignore development packages (`devDependencies`). The packages used for local or CI/CD development purposes are not required to be the latest version just for the sake of being up-to-date without a specific need or benefit. Since GitHub takes security really serious [2], important Dependabot security updates [3] are triggered manually by a security advisor so there is no risk of missing important versions bumps when reducing the schedule interval. "Use the `allow` option to customize which dependencies are updated. This has no impact on security updates for vulnerable dependencies." [1]: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates#scheduleinterval [2]: https://github.com/security [3]: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-dependabot-security-updates Closes GH-65
svengreb
added a commit
to svengreb/tmpl-go
that referenced
this issue
Dec 12, 2020
Updated to "tmpl" version 0.8.0 [1] which reduces "Dependabot" PR noise for the NPM package ecosystem [2]. [1]: https://github.com/svengreb/tmpl/releases/tag/v0.8.0 [2]: svengreb/tmpl#65 GH-45
svengreb
added a commit
to svengreb/tmpl-go
that referenced
this issue
Dec 12, 2020
Updated to "tmpl" version 0.8.0 [1] which reduces "Dependabot" PR noise for the NPM package ecosystem [2]. [1]: https://github.com/svengreb/tmpl/releases/tag/v0.8.0 [2]: svengreb/tmpl#65 Closes GH-45
svengreb
added a commit
to svengreb/golib
that referenced
this issue
Dec 12, 2020
Update to "tmpl-go" version 0.6.0 [1] which reduces "Dependabot PR noise for the NPM package ecosystem [2]. [1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.6.0 [2]: svengreb/tmpl#65 GH-16
svengreb
added a commit
to svengreb/golib
that referenced
this issue
Dec 12, 2020
Update to "tmpl-go" version 0.6.0 [1] which reduces "Dependabot PR noise for the NPM package ecosystem [2]. [1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.6.0 [2]: svengreb/tmpl#65 Closes GH-16
svengreb
added a commit
to svengreb/nib
that referenced
this issue
Dec 12, 2020
Update to "tmpl-go" version 0.6.0 [1] which reduces "Dependabot PR noise for the NPM package ecosystem [2]. [1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.6.0 [2]: svengreb/tmpl#65 GH-38
svengreb
added a commit
to svengreb/nib
that referenced
this issue
Dec 12, 2020
Update to "tmpl-go" version 0.6.0 [1] which reduces "Dependabot PR noise for the NPM package ecosystem [2]. [1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.6.0 [2]: svengreb/tmpl#65 Closes GH-38
svengreb
added a commit
to svengreb/wand
that referenced
this issue
Dec 12, 2020
Update to "tmpl-go" version 0.6.0 [1] which reduces "Dependabot PR noise for the NPM package ecosystem [2]. [1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.6.0 [2]: svengreb/tmpl#65 GH-58
svengreb
added a commit
to svengreb/wand
that referenced
this issue
Dec 12, 2020
Update to "tmpl-go" version 0.6.0 [1] which reduces "Dependabot PR noise for the NPM package ecosystem [2]. [1]: https://github.com/svengreb/tmpl-go/releases/tag/v0.6.0 [2]: svengreb/tmpl#65 Closes GH-58
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
To reduce the noise of too many PRs from NPM dependencies, where most of them are only scoped for (local) development, two optimizations will be made:
monthly
interval. This is still enough to keep up with the fast updates in the NPM ecosystem.dependencies
) and ignore development packages (devDependencies
). The packages used for local or CI/CD development purposes are not required to be the latest version just for the sake of being up-to-date without a specific need or benefit.Since GitHub takes security really serious, important Dependabot security updates are triggered manually by a security advisor so there is no risk of missing important versions bumps when reducing the schedule interval.
The text was updated successfully, but these errors were encountered: