dcousens
commented
10 months ago @jonkoops can we reduce this to
- at most one weekly lockfile update
- majors as they appear
Closed dependabot[bot] closed 10 months ago
dcousens
commented
10 months ago @jonkoops can we reduce this to
jonkoops
commented
10 months ago at most one weekly lockfile update
The lockfile needs to be updated whenever dependencies are updated, so I am not sure what you mean here. I can configure Dependabot to only run updates once a week, if that is what you prefer.
majors as they appear
So you want to always create PRs for major versions? It's possible, I think by specifying a separate range, but we might as well do it once a week, should be no harm in that.
Personally, I don't particularly care, I'll just merge them as they come along, but let me know what you prefer.
dcousens
commented
10 months ago The lockfile needs to be updated whenever dependencies are updated, so I am not sure what you mean here.
Yes, but the reverse isn't true. Dependency version ranges don't need to be updated for the lock file to be updated.
Renovate refers to this as lockFileMaintenance, an example configuration I use in other projects.
The end result is, you only need additional pull requests for major version changes, as minor version changes are captured when you update your lock file, assuming you used a ^ or > anyway.
This results in - what should be non-breaking changes - accumulated in one pull request, and breaking changes ready to review in separate pull requests.
jonkoops
commented
10 months ago Yes, but the reverse isn't true. Dependency version ranges don't need to be updated for the lock file to be updated. Renovate refers to this as lockFileMaintenance, an example configuration I use in other projects.
Ahh, yeah that makes sense indeed. It's always good to regenerate the lockfile every once and a while. Unfortunately, I don't believe Dependabot has this functionality, it can be configured to only update the lockfile for the dependencies listed in the package, but it will not update other dependencies in the lockfile.
Personally, I also prefer Renovate, but it requires admin access to add it to the repository, so I just went the path of least resistance and configured Dependabot instead. If you, or @JedWatson can install the Renovate app, we can use it instead.
The end result is, you only need additional pull requests for major version changes, as minor version changes are captured when you update your lock file, assuming you used a
^or>anyway.
Yeah this is true. I like having both the lockfile and the package be on the latest versions (even if it's a range), hence I configured Dependabot to bump both versions. Either way, this is just a personal preference, and has no functional impact.
If you like we can set up Renovate in a similar manner as your example configuration.
Bumps tsd from 0.30.2 to 0.30.3.
Release notes
Sourced from tsd's releases.
Commits
bb28db10.30.36896a11Add code 2561 to known errors (#205)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show