NSubstitute
NSubstitute copied to clipboard
nsubstitute
feat: add dependabot for this project for minor and patch updates for nuget packages and github actions
Changes
- add dependabot for this project for automatic minor and patch updates
- for nuget packages
- github actions
See examples PR on what will be raised in this repository
- https://github.com/twcclegg/libphonenumber-csharp/pull/242
- https://github.com/twcclegg/libphonenumber-csharp/pull/243
- https://github.com/twcclegg/libphonenumber-csharp/pull/227
hope that helps!
Teams members of NSubstitute are very conservative about update dependencies...
I have 2 questions:
- Do we want to have dependabot with update proposals? cc @NSubstitute team
- Do we want to have this gigantic config or better to use something simple like:
version: 2
updates:
- package-ecosystem: "nuget"
directory: "/"
schedule:
interval: "daily"
open-pull-requests-limit: 5
?
Thank you
Thanks for this!
1. Do we want to have dependabot with update proposals? cc @nsubstitute team
What are the possible impacts to users here? Not sure if any of these are legitimate concerns these days, but previously we've had cases like:
- a package version drops support for a platform or adds a new dependency that means users on older platforms have issues using the version
- Unity requiring specific versions of libs
The other consideration is what we're gaining by updating these dependencies. I think the motivations are a bit different between test-only code and production code. If a project using NSub wants a different dep version they can specify this, but iirc there isn't an easy way to force a previous version if it is required for some reason.
Again, not sure if any of these are legitmate concerns, but thought it would be worth clarifying.
2. Do we want to have this gigantic config or better to use something simple like: ...
I much prefer the simpler version! ❤️
if i could help out in this discussion, if you are worried around certain packages needing to be pinned to a specific version, you can do the following, e.g. what i have done in my project is as follows
other_minor_patch_updates:
exclude-patterns:
- "@fastify*"
- "fastify"
- "@sentry*"
update-types:
- "minor"
- "patch"
this excludes any npm packages starting with @fastify or called fastify or starting with @sentry
dependabot will then exclude it from any pr opened by it in that group you specify
also another potential issue with removing "groups" in the config is that dependabot will open a PR For each package, which means your repository will potentially get spammed with a lot of PRs
if you are worried around certain packages needing to be pinned to a specific version,
I'm less worried about packages NSub uses, and more about requirements that projects that use NSubstitute require. (example)
I'm probably being overly conservative with this. 🤔
if you are worried around certain packages needing to be pinned to a specific version,
I'm less worried about packages NSub uses, and more about requirements that projects that use NSubstitute require. (example)
I'm probably being overly conservative with this. 🤔
Okay, what is the final decision? For now we don't want to have dependabot, right?
Okay, what is the final decision? For now we don't want to have dependabot, right?
@Romfos I'm happy to go with whatever you recommend here. We don't need to accept dependabot PRs so shouldn't be an issue if you want to try it out.
@dtchepak according to you comment here: https://github.com/nsubstitute/NSubstitute/pull/831#discussion_r1817846412
If I right understand your comment. We want to stay on older dependencies for package project
We can enable it for non-package projects like unit tests
version: 2
updates:
- package-ecosystem: "nuget"
directories:
- "/tests/NSubstitute.Acceptance.Specs"
- "/tests/NSubstitute.Benchmarks"
- "/build"
schedule:
interval: "daily"
open-pull-requests-limit: 5