Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Skip renovate upgrade for golangci-lint dependencies #6179

Closed
dmathieu opened this issue Jan 19, 2025 · 3 comments
Closed

Skip renovate upgrade for golangci-lint dependencies #6179

dmathieu opened this issue Jan 19, 2025 · 3 comments

Comments

@dmathieu
Copy link
Member

Golangci-lint dependencies largely don't respect semver, and make breaking changes that require an upgrade of the linter itself.

We should configure renovate to stop opening PRs for dependencies of golangci-lint, and only upgrade things with the direct dependency.
@pellared
Copy link
Member

pellared commented Jan 20, 2025
edited
Loading

AFAIK this was intentional in order to mitigate security vulns in these dependencies. See #6038

CC @MrAlias

@dmathieu
Copy link
Member Author

Which makes sense. We don't need to do it for all tools dependencies.
But linters really have a high ratio of PRs being closed because they have breaking changes that will only work when the golangci-lint upgrade happens.

@MrAlias
Copy link
Contributor

MrAlias commented Jan 30, 2025

I'm in favor of just closing PRs with breaking changes and keeping upgrades to indirect dependencies. Like @pellared mentioned, the risk of not addressing security vulnerabilities outweighs the noise of having to close PRs.

@dmathieu dmathieu closed this as not planned Won't fix, can't repro, duplicate, stale Jan 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dmathieu @pellared @MrAlias