Hexo: Proposition: Use Dependabot for dependency updates
Hi,
I would like to propose that we use Dependabot for dependency updates
https://dependabot.com/
We have been doing a lot of dependency update lately, and it is very hard to keep track, and to keep up.
Dependabot will create the pull requests each time we have a dependency to update.
I tested it on a clone of hexo-util and here is the result: https://github.com/tomap/hexo-util/pulls
5 super nice pull requests, with the commit list between the two versions of the dependency
Dependabot will update those pull request to fix any conflict, and if there is an issue with the build, it will be up to us to fix it, of course
I propose we set it up on a single "minor" repo (like hexo-util) to start, and if we are satisfied with it, we can set it up on all repos, up to the main one : hexo
This is a proposition, to be discussed of course, with all maintainer
Thomas
PS: I started the discussion on gitter: https://gitter.im/hexojs/hexo
PS2: I contacted dependabot support, and they confirmed it's free for open source organizations
tomap
All 8 comments
I totally agree with tomap.
Hexo project has many repositories and they has many dependency packages.
Currently we are update manually. It is very hard for us.
Especially, we have to confirm to breaking change, if update package.
The dependabot collect automatically release note & changelogs & diff infos and write those infomation to PR.
If we use dependabot, it will be save our maintenance cost.
YoshinoriN
on 13 Nov 2018
Ok, so not much reaction. I do not seem to have enough rigths to setup dependabot for hexo-util (or any hexo repo).
@yoshinorin, can you do it?
tomap
on 20 Nov 2018
No... I can't.
I found this.
https://help.github.com/articles/permission-levels-for-an-organization/
Maybe we can't install marketplace app.
It can be owner level user only.
YoshinoriN
on 21 Nov 2018
And this.
https://github.com/dependabot/feedback/issues/193#issuecomment-424526458
For now, your Dependabot permissions are based entirely on your GitHub permissions.
YoshinoriN
on 21 Nov 2018
Perhaps if we ping @hexojs/founder team they will have permissions to add DependaBot. (Assuming they like the idea.)
tcrowe
on 21 Nov 2018
Cool idea. I will try to see if I can install dependabot to hexojs.
Updates: I have installed dependabot to all hexojs repository with package.json.
JLHwung
on 22 Nov 2018
My inbox confirms, it worked 👍
ertrzyiks
on 22 Nov 2018
@hexojs/core
I have a question related dependabot pull request.
Please see #3370
YoshinoriN
on 22 Nov 2018
Related issues
hgDendi
·
3Comments
yunTerry
·
3Comments
bearpaw
·
3Comments
mashirozx
·
3Comments
leoli-dev
·
3Comments
Most helpful comment
Cool idea. I will try to see if I can install dependabot to hexojs.
Updates: I have installed dependabot to all hexojs repository with
package.json.