Dependabot-core: Granularity of Dependency Updates

Created on 1 Nov 2019  路  8Comments  路  Source: dependabot/dependabot-core

Dependabot tends to create really fine granular dependency updates for Javascript dependencies provided by npm. The PR https://github.com/Spielekreis-Darmstadt/lending/pull/313 is an example for this. In the PR a single patch version update is proposed, which leads to a new PR every few days.

Is this by chance configurable? By configurable I mean that I would like to be able define a rule like:

  • update a dependency if its version is either 5 patch versions or 1 minor version off

If this is not supported yet I think this is a useful addition to Dependabot

noise version-updates 猬嗭笍 feature-request
Source
picture madoar

Most helpful comment

Please keep this issue in scope

picture gabriel-kohen-by on 7 Jan 2020
👍2

All 8 comments

馃憢 I believe we have ideas like this on our radar, but I don't think that is currently available. However, I'll let @feelepxyz confirm this.

rebelagentm picture rebelagentm on 4 Nov 2019

Thanks for the suggestion @madoar! Not currently possible but we have plans around grouping updates in different ways and this could be one solution to the problem you are seeing. Up for considering different ways to solve the problem of "noisy updates" though.

feelepxyz picture feelepxyz on 4 Nov 2019

Is this a duplicate of #1296 or #1190 ?

gkohen picture gkohen on 7 Nov 2019

@gkohen I think it is different from #1190, but similar to #1296. At a high level, I think all three could potentially be solved by one solution, depending on how it gets implemented.

@madoar If you feel this is the same request as #1296, can we close your issue in favor of that? Feel free to add your specific rule request to that issue.

rebelagentm picture rebelagentm on 7 Nov 2019

@madoar If you feel this is the same request as #1296, can we close your issue in favor of that? Feel free to add your specific rule request to that issue.

No my issue is unrelated to #1296. I don't require that multiple dependencies are updated together as a group. My issue is that some dependencies are updated really frequently e.g. every week or even every day. In such cases @dependabot would create a new PR every time a new update for the dependency is available e.g. every week or even every day (perhaps even multiple times a day?). This can be quite annoying because the developers need to potentially invest a lot of time to test whether the update breaks anything. If they need to do this every day because the PRs are otherwise polluted by @dependabot a lot of time is bound on chores instead of on core development tasks like the implementation of new features.

madoar picture madoar on 7 Nov 2019

@madoar Thank you for clarifying that! We'll keep this issue open then. The team is pretty swamped at the moment though so, unfortunately, it may be a while before we get to consider this.

rebelagentm picture rebelagentm on 8 Nov 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

stale[bot] picture stale[bot] on 7 Jan 2020
👎2

Please keep this issue in scope

gabriel-kohen-by picture gabriel-kohen-by on 7 Jan 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cscherrer picture cscherrer  路  4Comments
tjwallace picture tjwallace  路  3Comments
rafaelrocha-hotmart picture rafaelrocha-hotmart  路  4Comments
kubawerlos picture kubawerlos  路  3Comments
jbreitbart picture jbreitbart  路  3Comments