Use dependabot instead of greenkeeper for automated dependency management

[trivikr]

Is your feature request related to a problem? Please describe. We're currently using greenkeeper for automated dependency management. It's good, but dependabot seems much better.

Describe the solution you'd like Use dependabot for automated dependency management as:

• It was acquired by GitHub on 05/23 (announcement) - GitHub made it free for all repos and doubled down it's team size to add more features.
• GitHub has already integrated dependabot for automated security fixes
• Dependabot source is much more actively maintained than that of Greenkeeper/Renovate
• Many aws projects are already using dependabot:
  • awslabs/aws-greengrass-provisioner
  • awslabs/aws-serverless-express
  • awslabs/serverless-application-model
• Dependabot is support across several languages - Ruby, Python, JavaScript, Java, .NET, PHP, Go, Elixir and Rust. Once successfully used with JS SDK, it can be ported to other language SDKs.
• Configuration options are more granular, and easy to manage

Describe alternatives you've considered Greenkeepr/Renovate

[trivikr]

I've personally been using dependabot on repo react-hooks-todo-ts for three weeks now, and have been happy with the experience PRs https://github.com/trivikr/react-hooks-todo-ts/pulls/app%2Fdependabot-preview

[trivikr]

May be this can be done after moving to yarn workspaces as requested in #232 Dependabot has support for both lerna and yarn workspaces https://dependabot.com/javascript/

[trivikr]

I've been testing depedabot on my personal repo react-hooks-todo-ts for around 1.5 months now. The only concern I have is too many PRs. There's no option to opt-out of patch updates (feature request in https://github.com/dependabot/feedback/issues/256)

Some available solutions to reduce the number of PRs:

• Use allowed_updates to only allow security updates
  • We don't need to explicitly set dependabot for this, as security alerts on GitHub do it for us.
• Switch to weekly update_schedule
  • Need to find out how depedabot prioritizes updates. Is it by importance of a dependency (like dependency vs devDependency) or difference in version numbers or something else

[trivikr]

Dependabot doesn't have any ongoing plans to provide an option to opt-out of minor and/or patch versions as explained in https://github.com/dependabot/feedback/issues/256#issuecomment-512881222

This is a code change in their backend which isn't open source https://github.com/dependabot/feedback/issues/256#issuecomment-513089934

[lock[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.