ci: add dependabot docker and npm ecosystems #3885
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This means more dependabot PRs, and hopefully less manual work keeping Dockerfiles up to date. In some cases careful testing will be required before merging Docker PRs but at least we have a to-do list in the form of dependabot PRs. With the npm package ecosystem, dependabot will also start suggesting more NPM updates, and not just the security updates (that's why I limited the number of them until 0.13 has landed).
Walther
reviewed
Mar 6, 2023
.github/dependabot.yml
Outdated
Comment on lines
20
to
23
| # Automatically update NPM packages | ||
| - package-ecosystem: "npm" | ||
| directory: "/" | ||
| open-pull-requests-limit: 3 # for now, once 0.13 landed we can increase this |
There was a problem hiding this comment.
I'm slightly hesitant on adding the npm updates right now, in part because of the earlier work on #3838 and discovering the need to configure our typescript project and its build process to support consuming ECMAScript Modules #3841. Currently, we are blocked by this on updating a lot of dependencies, we can't use "pure ESM build" dependencies.
There was a problem hiding this comment.
OK, I have commented out the npm ecosystem for now and added a comment that mentions the #3841 ESM packaging issue
We do not use dependabot with npm yet because our build process is currently incompatible with "pure ESM build" dependencies. See also #3841
vvagaytsev
pushed a commit
that referenced
this pull request
Mar 13, 2023
This means more dependabot PRs, and hopefully less manual work keeping Dockerfiles up to date. In some cases careful testing will be required before merging Docker PRs but at least we have a to-do list in the form of dependabot PRs. We do not use dependabot with npm yet because our build process is currently incompatible with "pure ESM build" dependencies. See also #3841
vvagaytsev
pushed a commit
that referenced
this pull request
Mar 13, 2023
This means more dependabot PRs, and hopefully less manual work keeping Dockerfiles up to date. In some cases careful testing will be required before merging Docker PRs but at least we have a to-do list in the form of dependabot PRs. We do not use dependabot with npm yet because our build process is currently incompatible with "pure ESM build" dependencies. See also #3841
This was referenced May 11, 2023
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
This means more dependabot PRs, and hopefully less manual work keeping Dockerfiles up to date.
In some cases careful testing will be required before merging Docker PRs but at least we have a to-do list in the form of dependabot PRs.
With the npm package ecosystem, dependabot will also start suggesting more NPM updates, and not just the security updates (that's why I limited the number of them until 0.13 has landed).
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer: