We currently spend an unacceptable amount of time patching all of our repos to the very latest versions of all dependencies, when actually we have some repos that are barely used and are already marked for retirement.
In these cases, the risk of loosening our Dependabot policy for deprecated repos should be very low. In fact, the risk of accidentally breaking something in the deprecated repo - through bumping a dependency - is moderately high, as we'd be relying purely on tests to catch any regressions. (There may be too little user activity for it to be noticed otherwise).
We currently spend an unacceptable amount of time patching all of our repos to the very latest versions of all dependencies, when actually we have some repos that are barely used and are already marked for retirement.
In these cases, the risk of loosening our Dependabot policy for deprecated repos should be very low. In fact, the risk of accidentally breaking something in the deprecated repo - through bumping a dependency - is moderately high, as we'd be relying purely on tests to catch any regressions. (There may be too little user activity for it to be noticed otherwise).
Security updates should still be applied.
See https://docs.google.com/document/d/1qcnGDzw5PKKg97c3ivDpBtmbbutsUcIfk5GZxqLqFjg/edit for more.
Trello: https://trello.com/c/kpf7rWEq/2979-change-dependabot-configs-for-content-publisher-and-maslow