action-semantic-pull-request icon indicating copy to clipboard operation
action-semantic-pull-request copied to clipboard

Published 20 hours ago verified publisher icon amannn

build: configure Dependabot

Open yeikel opened this issue 1 year ago • 6 comments

To keep our dependencies up to date and secure

image

See #225 to see why this is needed

See it in action : https://github.com/yeikel/action-semantic-pull-request/pulls

yeikel avatar Mar 31 '23 14:03 yeikel

Hi @yeikel and thank you very much for this PR!

Unfortunately, Dependabot creates a lot of noise and the security analysis method it uses is broken by design.

These are the dependencies that this action currently uses in builds and that run in containers:

https://github.com/amannn/action-semantic-pull-request/blob/ff373f4e8056b732dfd0eadd42ae54c004e5523b/package.json#L25-L31

We've recently updated all dependencies in the project. My current perspective is that the load of pull requests that Dependabot creates, causes much more trouble than what we gain from it.

Something like a quarterly dependency update where the relevant dependencies are checked in detail seems more useful to me.

If there is some configuration option for Dependabot where it creates a PR once every 3 months where it updates all dependencies in one batch, I think this could be a good compromise.

What do you think?

amannn avatar Mar 31 '23 15:03 amannn

Hi @yeikel and thank you very much for this PR!

Unfortunately, Dependabot creates a lot of noise and the security analysis method it uses is broken by design.

These are the dependencies that this action currently uses in builds and that run in containers:

https://github.com/amannn/action-semantic-pull-request/blob/ff373f4e8056b732dfd0eadd42ae54c004e5523b/package.json#L25-L31

We've recently updated all dependencies in the project. My current perspective is that the load of pull requests that Dependabot creates, causes much more trouble than what we gain from it.

Something like a quarterly dependency update where the relevant dependencies are checked in detail seems more useful to me.

If there is some configuration option for Dependabot where it creates a PR once every 3 months where it updates all dependencies in one batch, I think this could be a good compromise.

What do you think?

Dependabot keeps dependencies up to date in general and it is not only concerned about security upgrades.

I think that it is important to keep dependencies up to date in general to get notified about new features and enhancements as well as be informed about deprecations and breaking changes as they happen. For example, It is usually easier to migrate from a deprecated API than to do so after the API has been removed 3-4 releases later.

This is crucial to save development time as I personally find smaller upgrades easier to manage.

Generally, I think that waiting 3-4 months to update dependencies is not desirable in general and more so when new versions might come with bug fixes (or security upgrades). it is important to note that dependabot also leverages Github Security Advisories

Something like a quarterly dependency update where the relevant dependencies are checked in detail seems more useful to me.

Dependabot does not support this. The best we have is monthly and it'll still create separate upgrades if applicable. Dependabot tries to bundle dependencies where it is applicable

In general, it is a good practice to avoid bundling unrelated dependency upgrades together because it complicates reverts if they are needed. Small changes are usually better in general in my experience

yeikel avatar Mar 31 '23 15:03 yeikel

I understand your perspective. I'd absolutely love a workflow with Dependabot where I'm alerted immediately if a dependency is used in a way that poses a security risk—please don't get me wrong. Unfortunately, as outlined in the blog post I've mentioned above, this is rarely the case.

I'm sure your situation is similar, but I only have limited time and I can't afford to keep up with a lot of updates that will likely not change anything meaningful for the project.

These are the options I currently see:

  1. Wait for grouped updates of Dependabot and enable it then.
  2. (In the meantime) Update dependencies sporadically, as necessary.
  3. Install dependencies as part of the workflow without a lockfile, so patch and minor version upgrades are done automatically without having to change the action. This could be implemented by turning the action into a composite action, where e.g. the node_modules folder is cached for a week on the consumer side. The downside here is that if dependencies fail to follow semver, this can break at the consumer side.

What do you think?

amannn avatar Apr 04 '23 12:04 amannn

Hi @amannn,

I do agree that dependabot can be quite noisy, but having the latest set of dependencies tend to reduce the surface area of problems that can come up over time.

Would you be interested in changing the interval to something like monthly to reduce noise? At least this way you're only sent PRs at the beginning of the month.

Reference: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval

vyas-n avatar Aug 01 '23 20:08 vyas-n

Thanks for chiming in @vyas-n! Monthly sounds better, but grouped updates would be a requirement from my side. Seems like the feature is in public beta now, so maybe we can add this soon!

amannn avatar Aug 02 '23 07:08 amannn

Grouped updates are now available. https://github.com/dependabot/dependabot-core/issues/1190#issuecomment-1693360104

chris-bateman avatar Mar 06 '24 10:03 chris-bateman