ER: Proposal to limit Dependabot code version updates to exclude patches

[t-will-gillis]

Emergent Requirement - Problem

The Dependabot is currently configured to check for updated dependencies, and if a new version is available to create a PR. The current config checks for all updates regardless of size, including minor patches.

Issue you discovered this emergent requirement in

• #6785

Date discovered

4/28/24

Did you have to do something temporarily

• [ ] YES
• [x] NO

Who was involved

@t-will-gillis

What happens if this is not addressed

The Dependabot will create a PR for updates, which can be a nuisance for minor patches.

• The proposed behavior is to only update 'major' and 'minor' updates, and wait between 'patch' updates.
• The Dependabot uses semantic versioning/ semver to determine updates.
• Ex: changing from a current v5.10.2,
  • to v 5.10.3 is a patch,
  • to v 5.11.0 is a minor update,
  • and to v 6.0.0 is a major update.
• Important note: this does not apply to security updates and patches, only to version updates.

Resources

• dependabot.yml
• About Dependabot version updates
• Configuring Dependabot version updates

Recommended Action Items

• [x] Make a new issue
• [x] Discuss with team
• [ ] Let a Team Lead know

Potential solutions [draft]

Referring to the dependabot.yml config file:

• [ ] Add ignore statement (the syntax needs to be verified):

ignore:
   update-types: ["version-update:semver-patch"]

[github-actions[bot]]

Hi @t-will-gillis, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:- i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?) ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

[t-will-gillis]

Issue #6849 opened to address the ER, therefore closing this.