Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: updating dependabot file to support gha, TS, JS, gradle, Go lang, cargo and docker packages #271

Merged
merged 2 commits into from
May 13, 2024

Conversation

rajpalc7
Copy link
Contributor

No description provided.

…ng, cargo and docker packages

Signed-off-by: Rajpal Chauhan <rajpal.chauhan@gov.bc.ca>
Copy link
Member

@WadeBarnes WadeBarnes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, but I'd like feedback from other maintainers.

Copy link
Contributor

@berendsliedrecht berendsliedrecht left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@swcurran swcurran merged commit c98169e into hyperledger:main May 13, 2024
4 checks passed
@TimoGlastra
Copy link
Member

Do you think we can maybe batch the updates per language/tools, there's a lot of PRs open now, and it's quite tedious to have to merge them one by one

image

@WadeBarnes
Copy link
Member

WadeBarnes commented May 14, 2024

@TimoGlastra, We could look into grouping the dependency updates, but I've also heard complaints from developers that that causes other issues.

One option is to use the dependabot updates as a guide and create a separate PR that updates all of the dependancies that can be updated without issue. Merging that PR will trigger dependabot to reevaluate and close any PRs that are no longer relevant.

Dependabot is a topic for the ACA-PUG meeting today.

@TimoGlastra
Copy link
Member

Yeah the thing I don't like about dependabot is that a lot of these dependencies are dev dependencies (for javascript especially), and that you're spending a lot of time on updates that don't really improve things.

@WadeBarnes
Copy link
Member

Yeah the thing I don't like about dependabot is that a lot of these dependencies are dev dependencies (for javascript especially), and that you're spending a lot of time on updates that don't really improve things.

It looks like that could be controlled; https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants