most often are small patch updates of devDeps that don't affect our usage of them
and then subsequent PRs for each individual patch bump etc
the majority of PRs in this repo are these updates -- noise would be an understatement.
Stats: 288 out of 496 PRs are from dependabot. 164 of those were closed unmerged due to superseding PRs etc. Plus older PRs from Snyk (which also does non-security updates) and probably others I'm missing
some also cause a lot of breakage when they pass CI but break something in a way that doesn't have an automated test
could potentially split NPM prod and devDeps in these two as well, but I think this is fine for now
Verification
GH has no way to actually test this, but this same configuration has been used in Workflows for nearly a month now and is also something I previously implemented in other repos that I have maintained (example).
Future Work
Could potentially split NPM prod and devDeps with different settings as mentioned above
Motivation
similar to Workflows https://github.com/argoproj/argo-workflows/pull/12487, most of the automated updates from dependabot here cause problems, a lot of noise, and use up CI time, all without much benefit
Note that this intentionally does not impact security updates. Security updates will still happen automatically
Modifications
set
open-pull-requests-limit: 0
independabot.yml
for all our currently specified package ecosystemsalso re-order the package ecosystems and add some comments equivalent to Workflows
Verification
GH has no way to actually test this, but this same configuration has been used in Workflows for nearly a month now and is also something I previously implemented in other repos that I have maintained (example).
Future Work
Could potentially split NPM prod and devDeps with different settings as mentioned above