Granularity of Dependency Updates

[madoar]

Dependabot tends to create really fine granular dependency updates for Javascript dependencies provided by npm. The PR Spielekreis-Darmstadt/lending#313 is an example for this. In the PR a single patch version update is proposed, which leads to a new PR every few days.

Is this by chance configurable? By configurable I mean that I would like to be able define a rule like:

• update a dependency if its version is either 5 patch versions or 1 minor version off

If this is not supported yet I think this is a useful addition to Dependabot

[rebelagentm]

👋 I believe we have ideas like this on our radar, but I don't think that is currently available. However, I'll let @feelepxyz confirm this.

[feelepxyz]

Thanks for the suggestion @madoar! Not currently possible but we have plans around grouping updates in different ways and this could be one solution to the problem you are seeing. Up for considering different ways to solve the problem of "noisy updates" though.

[gkohen]

Is this a duplicate of #1296 or #1190 ?

[rebelagentm]

@gkohen I think it is different from #1190, but similar to #1296. At a high level, I think all three could potentially be solved by one solution, depending on how it gets implemented.

@madoar If you feel this is the same request as #1296, can we close your issue in favor of that? Feel free to add your specific rule request to that issue.

[madoar]

@madoar If you feel this is the same request as #1296, can we close your issue in favor of that? Feel free to add your specific rule request to that issue.

No my issue is unrelated to #1296. I don't require that multiple dependencies are updated together as a group. My issue is that some dependencies are updated really frequently e.g. every week or even every day. In such cases @dependabot would create a new PR every time a new update for the dependency is available e.g. every week or even every day (perhaps even multiple times a day?). This can be quite annoying because the developers need to potentially invest a lot of time to test whether the update breaks anything. If they need to do this every day because the PRs are otherwise polluted by @dependabot a lot of time is bound on chores instead of on core development tasks like the implementation of new features.

[rebelagentm]

@madoar Thank you for clarifying that! We'll keep this issue open then. The team is pretty swamped at the moment though so, unfortunately, it may be a while before we get to consider this.

[gabriel-kohen-by]

Please keep this issue in scope

[jeffwidman]

Related but not a duplicate:

• Configuration of a minimum package age required before a PR is created #3651