Plots2: Suggestion / request: use Dependabot to keep dependencies up-to-date (reopening for Yarn)
First of all, thanks for PublicLab!
I've got a suggestion / request: would you be up for using Dependabot to automatically create dependency update PRs for this repo? I ran it against my fork and it generated these PRs. I'll port the uglifier one across to this repo so it's easier for you to check it out.
I built Dependabot, but I'm honestly only suggesting it because I hope it can save you some time. I'd love any feedback, and obviously having open source repos using Dependabot helps boost its profile, but if it's not helpful to you then it's not really worth anything.
You can install it from here or here if you decide to give it a try. It's been through GitHub's security testing (to be allowed in the GitHub Marketplace) and is used by a few thousand organisations, and the source code is here.
:octocat:
greysteil
All 16 comments
Thanks for opening your first issue here! Please follow the issue template to help us help you ๐๐๐
If you have screenshots to share demonstrating the issue, that's really helpful! ๐ธ
![welcome[bot] picture](https://avatars.githubusercontent.com/in/4141?v=4&s=40)
welcome[bot]
on 2 Oct 2018
Wow, cool! @publiclab/reviewers what do you think?
Is there a way to have it do the PRs one at a time? Our PR queue is overflowing a bit.
Also, will to be able to deal with any conflicts if it opens multiple at once and we start merging?
Thanks!
jywarren
on 3 Oct 2018
Is there a way to have it do the PRs one at a time? Our PR queue is overflowing a bit.
I could set it to only have one PR open at a time, but maybe it would be better for me to help out getting the initial PRs merged? I can review (Dependabot itself is written in Ruby) and get each PR to a point where a maintainer just needs to hit merge. Then, once you're up-to-date you should expect 1-2 PRs a week.
Also, will to be able to deal with any conflicts if it opens multiple at once and we start merging?
Yep! Automatically detects conflicts and fixes them. I've been working on it full time for 18 months, so it's pretty good at what it does. ๐
greysteil
on 4 Oct 2018
Thank you! How many PRs will Dependabot open, do you think? Can we do them in batches? Sorry, we're just a bit cautious about opening more than 5 at a time, but even if it's 10, we can just get ready for it so we're not overwhelmed ๐
Another thing we can do is run this on a less active Public Lab project for starters -- like MapKnitter. Although we would have to warn you that some of our less active projects are far less tested and up to date, so maybe that is not a great idea...
Actually we could do it on a JavaScript library - ours are pretty well maintained, unlike our secondary Ruby libraries. We could try https://github.com/publiclab/image-sequencer/ or https://github.com/publiclab/leaflet-environmental-layers/, perhaps, or https://github.com/publiclab/PublicLab.Editor
Or I'm OK trying it on this repository too!
jywarren
on 24 Oct 2018
All of those options sound good!
The maximum number of PRs that Dependabot will create in a single update run is 5, and the maximum is will ever have open for a single repo (for a single language) is 10. Hopefully that's enough not to overwhelm!
greysteil
on 24 Oct 2018
Oh that is great. Then let's go ahead with this repo. Shall I install it
then? I'm finishing for the day, but hopefully tomorrow or Friday.
On Wed, Oct 24, 2018 at 5:43 PM Grey Baker notifications@github.com wrote:
All of those options sound good!
The maximum number of PRs that Dependabot will create in a single update
run is 5, and the maximum is will ever have open for a single repo (for a
single language) is 10. Hopefully that's enough not to overwhelm!โ
You are receiving this because you are on a team that was mentioned.
Reply to this email directly, view it on GitHub
https://github.com/publiclab/plots2/issues/3571#issuecomment-432838709,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AABfJ54ckQH72_Q4fkAjo0Z0wOYFq5MTks5uoN7hgaJpZM4XE3v9
.
jywarren
on 24 Oct 2018
Yes - thanks would be perfect! The easiest way to do so is from here - let me know if you have any trouble. I'll also look out for the initial PRs and try to help out with the review ๐
greysteil
on 24 Oct 2018
OK - installed and merged a couple smaller ones! A few questions on the remaining 2... upcoming! Thank you!
jywarren
on 26 Oct 2018
Hi @greysteil -- we've installed it on a few more projects, and the NPM based ones really have a lot of updates to run. Cool!
https://github.com/publiclab/spectral-workbench.js/pulls
https://github.com/publiclab/PublicLab.Editor/pulls
One question I had was, is it possible to get dependabot to run a build script? We've considered trying to set up an autobuild bot or something to run grunt build after any changes to /src/, but for now we do it manually. All our tests run against /src/ and not /dist/ so the testing is still all fine, but it would mean we wouldn't have to periodically do a build manually. Just wondering, I know dependabot does a lot already, but I imagine this comes up.
Also, is it OK to be running it on an untested codebase like this one?
https://github.com/publiclab/infragram/pulls
I'll manually test things, but this is not a production project anyways. Just wondering if we're muddying the waters here or something.
jywarren
on 6 Dec 2018
Hey @jywarren, that's awesome!
On running a build script: there's no way for Dependabot to do that at the moment :-( Perhaps a use case for the new GitHub Actions?
On running on an untested codebase: that should be totally fine - won't mess anything up on the Dependabot side, and hopefully the compatibility scores will make knowing what's non-breaking a little easier :-)
greysteil
on 7 Dec 2018
thanks!
On Fri, Dec 7, 2018 at 9:03 AM Grey Baker notifications@github.com wrote:
Hey @jywarren https://github.com/jywarren, that's awesome!
On running a build script: there's no way for Dependabot to do that at the
moment :-( Perhaps a use case for the new GitHub Actions?On running on an untested codebase: that should be totally fine - won't
mess anything up on the Dependabot side, and hopefully the
compatibility scores will make knowing what's non-breaking a little easier
:-)โ
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/publiclab/plots2/issues/3571#issuecomment-445241685,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AABfJ-kr5-MNW9wuklcCV2PVQzAtRnLFks5u2nUagaJpZM4XE3v9
.
jywarren
on 7 Dec 2018
We're doing this across all our major repositories now! Thanks so much!
jywarren
on 10 Jan 2019
Hi, @dependabot @greysteil - is there a way to set up dependabot to update our yarn.lock file as well, or an example config.yml we could look at to achieve this? Thank you!
jywarren
on 13 Feb 2019
@jywarren for sure.
# .dependabot/config.yml
version: 1
update_configs:
- package_manager: "ruby:bundler"
directory: "/"
update_schedule: "live"
- package_manager: "javascript"
directory: "/"
update_schedule: "live"
There's full docs on config files here, or you can add the additional language from your dashboard (instead of using a config file).
greysteil
on 13 Feb 2019
Amazing and so fast. Are you a bot? ๐ Thanks!
jywarren
on 13 Feb 2019
jywarren
on 13 Feb 2019
Related issues
grvsachdeva
ยท
3Comments
noi5e
ยท
3Comments
keshavsethi
ยท
3Comments
shapironick
ยท
3Comments
bronwen9
ยท
3Comments
Most helpful comment
Amazing and so fast. Are you a bot? ๐ Thanks!