climatechoice
climatechoice copied to clipboard
Enable dependabot
I think we should consider enabling dependabot.
I've been using it on a bunch of my own projects recently and it is brilliant. It'll keep an eye on our dependencies (node_modules) and create a pull request when a new version of any package is released.
It'll mean we end up with a bunch of pull requests to keep an eye on an manage, but I think it's worth it.
Any thoughts?
We use Renovate and it’s great, especially the auto-merge feature which Dependabot also has, just make sure ‘master’ branch is protected so feature branches can only land if all the tests pass. Netlify will fail the build of any dep upgrades fail.
The recent Github acquisition of Dependabot will also ensure even tighter integration in future.