axolotl
axolotl copied to clipboard
nanu-c
[Feature] Auto-accept dependabot PRs
Is your feature request related to a problem? Please describe. Due to the dependabot we have many open PRs.
Describe the solution you'd like Keeping the dependencies up to date is good! However I notice that there are many open PRs, and this number is growing by the day.
Describe alternatives you've considered We could also stop using the dependabot, and revert to manually keeping the dependencies up to date.
Additional context
Just a quick search I arrived by this: https://github.com/marketplace/actions/dependabot-auto-merge
I would love to have them auto-merged but the sql update breaks the backend, the linkify needs a re-implementation after the update and the qrcode plugin is broken upstream and needs this pr https://github.com/soldair/node-qrcode/pull/299 Also it's really handy to have dependabot because it sends me weekly emails about what's outdated and what could have a CVE. On the other hand it's polluting the pr's in times when i don't have that much time to merge them. What do you think?
Knowing why we dont want to auto-merge MRs is enough for me: the idea was to help and not to potentially cause problems.
Do you think a sort of allow/denylist would be a possible approach - where essential/core dependencies stays with a manual approach, and the other dependencies could be automatically merged? (not sure if this currently is possible, but more as an idea to reason about)
Dependency changes can be problematic when
- the API changes
- the behaviour changes
A change in the API would result in a failed build, so it wouldn't be merged automatically. A change in behaviour would be merged. This could only be prevented by writing tests for the needed functionality of all dependencies.
Therefore I don't think auto merging dependency changes is feasible for Axolotl. Maybe we could ask people from Axolotl-dev to smoke test the builds from those MR's and give thumbs up or down for them. That would reduce the workload from @nanu-c
