Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Use Dependabot to check for Node updates #37

Merged
merged 1 commit into from
Sep 28, 2020
Merged

feat: Use Dependabot to check for Node updates #37

merged 1 commit into from
Sep 28, 2020

Conversation

HonkingGoose
Copy link
Contributor

Changes:

  • Use Dependabot to check for node package updates

Context:

I noticed some packages are out of date, and could use updates.
Dependabot can help with managing your development dependencies.

What will happen when you merge this pull:

This commits enables Dependabot in this repository.
It will check for Node updates each working day (Monday trough Friday).
It will run the check at 8 o'clock Dutch time.

Dependabot will use the default labels: "dependencies".
You don't need to add any labels to the repository, Dependabot will manage those automatically.

When you merge this pull request, Dependabot will do a run right away.
Afterwards it will follow the schedule.

Documentation for Dependabot configuration:

For more information on how to configure Dependabot to your liking: https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

@HonkingGoose
feat: Use Dependabot to check for Node updates
320f907 
This commits enables Dependabot in this repository.
It will check for Node updates each working day (Monday trough Friday).
It will run the check at 8 o'clock Dutch time.

Dependabot will use the default labels: "dependencies".
You don't need to add any labels to the repository, Dependabot
will manage those automatically.

When you merge this pull request, Dependabot will do a run right away.
Afterwards it will follow the schedule.

For more information on how to configure Dependabot to your liking:
https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
@Kilian
Copy link
Owner

Kilian commented Sep 28, 2020

Just for my understanding: This repository already gets PRs from dependabot. Does adding this config mean that they get merged automatically?

@HonkingGoose
Copy link
Contributor Author

Does adding this config mean that they get merged automatically?

No, automatic merging is not possible with the GitHub-native Dependabot.

From one of the main developers for Dependabot (dependabot/dependabot-core#1973 (comment)):

Auto-merge will not be supported in GitHub-native Dependabot for the foreseeable future. We know some of you have built great workflows that rely on auto-merge, but right now, we’re concerned about auto-merge being used to quickly propagate a malicious package across the ecosystem. We recommend always verifying your dependencies before merging them.

This repository already gets PRs from Dependabot.

You only get security updates right now, because GitHub will push those to users when necessary by default.

When you merge this pull request, you'll get normal updates as well.

For more on security updates read: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/configuring-github-dependabot-security-updates

@Kilian
Copy link
Owner

Kilian commented Sep 28, 2020

Oh, right! I'm not sure if normal updates are a good idea, but lets try :)

@Kilian Kilian merged commit c5982eb into Kilian:master Sep 28, 2020
@HonkingGoose HonkingGoose deleted the use-dependabot-to-check-for-updates branch September 28, 2020 08:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@HonkingGoose @Kilian