chore(dependabot): group dependency updates #2208
Conversation
Signed-off-by: Rui Chen <rui@chenrui.dev>
|
Thank you for working on this. Personally, I think grouping related things together is a good idea, but I'm not a big fan of grouping by package ecosystem. I'm concerned that updating multiple packages with different concerns in a single PR will make it difficult to track changes. Please let me know if there's any reason why you'd like to move this PR forward. |
|
Yeah to me this feature is built for large packages that are published as smaller units (e.g., AWS SDK) or related packages (e.g., for a linter). In these cases merging many updates one at a time can be at best tedious (SDK) and at worst impossible (in the case of tightly coupled dependencies, e.g., a tool and its plugins). Grouping on ecosystem spoils the signal of a test failure for a given dependency update. A big reason for automated dependency updates is to see exactly where something breaks rather than having to handle big version jumps across many packages. |
|
yeah, I can see the risk of group updates would incur breaking changes, but in reality, it just never happens. I also just saw this feature recently (apparently it has been around for quite some time). I'd like to propose to merge it and see if it indeed cause some issues (I also tried in my other projects too) let me know what you guys think. |
This is normal though, most dependency updates are noops, but occasionally they matter. What would be the goal of grouping all dependencies regardless in a single PR? If it's to reduce toil, auto-merging PRs would seem to be a better way to accomplish that without giving up incremental visibility when something does fail. |
group all dependencies update in one pr per package-ecosystem, https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates#prioritizing-meaningful-updates