vertx-junit5 icon indicating copy to clipboard operation
vertx-junit5 copied to clipboard

Published 20 hours ago verified publisher icon eclipse-vertx

add dependabot configuration

Open yeikel opened this issue 2 years ago • 10 comments

See https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/

yeikel avatar Mar 20 '22 00:03 yeikel

Can we go to weekly instead of daily?

jponge avatar Mar 21 '22 08:03 jponge

I do agree, this is aggressive.

can we configure to have a notification instead of opening a PR automatically ?

vietj avatar Mar 21 '22 09:03 vietj

Can we go to weekly instead of daily?

I updated the configuration to weekly.

I also suggest you to enable this from the repository settings :

image

See https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates

can we configure to have a notification instead of opening a PR automatically ?

We can do this but from what I understand it'll only send notifications for security updates. But I am not sure as I never used dependabot that way.

How about setting it to a lower limit like only one open at a time? Or simply just no limit at all?

The great thing about dependabot is that it creates PRs with labels, so if they create too much noise for us we can just filter them out

I also think it'll be beneficial for collaborators to know that there is pending PR with potential upgrades so that we can follow up. Otherwise only admins will know about them and it is possible that you'll miss them unintentionally

Additionally, in my opinion, it is better to have then there even if we don't action them immediately. Dependabot will keep the PRs updated and ready to be merged and that reduces the manual work involved(assuming there are no breaking changes of course). In past PRs that I contributed to this project, I had to go manually and update them. For example :

https://github.com/vert-x3/vertx-grpc/pull/113#issuecomment-1063026552

Also, I tested it in my fork and we already have two upgrades that we could apply. As they are patches, we should be able to just merge them if all our checks pass :

image

yeikel avatar Mar 21 '22 13:03 yeikel

As a side note, I sent this same PR to most of the other modules, so when we agree in a configuration, I can update them

Thank you!

yeikel avatar Mar 21 '22 13:03 yeikel

@vietj @jponge

Could you please take a look at my comment above?

yeikel avatar Mar 29 '22 20:03 yeikel

let me review the other config options before

vietj avatar Mar 30 '22 07:03 vietj

I think we want at least to set a few dependencies we want to ignore like jackson or guava, because we update those and we are aware of CVEs related to them quickly. In addition such dependencies are never updated autoomatically in our stack because we want to do it at once otherwise it would create conflicts with transitive closure.

vietj avatar Mar 30 '22 07:03 vietj

we just need to define the set of black listed dependabot dependencies here before and then you update this PR accordingly and update the other PR's

vietj avatar Mar 30 '22 07:03 vietj

here is the start of a list of dependencies we want to exclude:

  • guava
  • jackson
  • netty
  • loggers

vietj avatar Mar 30 '22 07:03 vietj

here is the start of a list of dependencies we want to exclude:

* guava

* jackson

* netty

* loggers

@vietj I updated the configuration with your suggestions

yeikel avatar Apr 16 '22 23:04 yeikel