shields icon indicating copy to clipboard operation
shields copied to clipboard
verified publisher icon badges

Switch to monthly Dependabot schedule

Open PyvesB opened this issue 1 year ago • 1 comments

Do our users really benefit from us having bumped @typescript-eslint/parser six times since the start of June? Or eslint-plugin-jsdoc and @sentry/node five times? And many other consecutive weekly version bumps?

Going through third-party changelogs, sometimes testing in a review app, and approving PRs every week feels like an unwelcome maintenance overhead, especially in a world where there are only one or two Shields.io maintainers active at any given time. Furthermore, it bloats our commit history and uses CI resources for no good reason.

I propose we switch to a monthly schedule, which will allow to batch multiple version bumps together for packages that are a bit too update-happy, lessening the overall burden.

I had already suggested this a few years ago, but a maintainer had pointed out that simple-icons would benefit from staying on a weekly schedule. Dependabot does not officially support multiple schedules for the same directory, but there is apparently a workaround mentionned here: https://github.com/dependabot/dependabot-core/issues/1778#issuecomment-1988140219. We could give it a try, and if ever it stops working in the future, we revert back to the original Dependabot config.

@chris48s as you've taken care of 95% of the Dependabot updates in the past couple of years, would be curious to hear your thoughts.

PyvesB avatar Jul 12 '24 08:07 PyvesB

Yeah it is a good challenge. We've been doing things this way for so long that I haven't really thought to question it recently. Here's a few thoughts:

  • You are right that there are a small number of packages that account for a lot of PRs. As you say, we bump eslint-plugin-jsdoc, @typescript-eslint/parser, @sentry/node, etc every week and don't get much out of it.
  • People do really get worked up about simple-icons updates, but I think that is the only package with that property really.
  • One useful property of weekly updates is that it requires time "little and often". I can bash though a week's worth of updates in about an hour usually. Finding an hour a week isn't too cumbersome or daunting. Working though a month's worth of updates probably wouldn't be 4x the effort and you don't have to do them all at once, but I feel like it requires finding a larger block of time (albeit less frequently).
  • Another good thing about weekly updates is that one week's worth of updates doesn't tend to generate enough PRs at once that rate limits on tokens are a problem. With a month's worth of updates at once, we might start running into builds failing because we've hit rate limits again when we are running a lot of builds on PRs, in the merge queue, and after merge. I fixed a lot of these issues with https://github.com/badges/shields/pull/8538 and https://github.com/badges/shields/pull/9072 but there is some limit on how many builds we can run in a one hour window.
  • Switching the schedule shouldn't have any impact on security. We can tell dependabot to treat security updates differently from regular package bumps.

All in all, I don't consider things to be unnecessarily cumbersome as they are. At the same time, I'd be willing to try out a less frequent schedule (monthly, or perhaps fortnightly?) and see how it goes.

chris48s avatar Jul 13 '24 12:07 chris48s

We switched to a monthly schedule in #11351. We can revisit in the future if need-be.

PyvesB avatar Sep 28 '25 17:09 PyvesB