search

az-digital / arizona-bootstrap

UArizona's front-end toolkit based on Bootstrap 4 and 5.
https://digital.arizona.edu/arizona-bootstrap
MIT License
5 stars 8 forks source link

Dependabot pull requests can't be merged. #1266

Open mmunro-ltrr opened 1 month ago

mmunro-ltrr commented 1 month ago

Problem/Motivation

Dependabot's grouped pull requests for dependencies currently include some unwanted version number bumps.

Describe the bug

Now that Dependabot produces pull requests that group several different dependency version bumps, there is almost always one unwanted upgrade that invalidates the entire PR.

To Reproduce

Review recent Dependabot PRs that have attempted an eslint 9 upgrade.

Proposed resolution

Introduce more version number constraints for the upgrades that Dependabot and ncu are suggesting.

Expected behavior

Most Dependabot PRs are suitable for merging.

mmunro-ltrr commented 1 month ago

The dependabot.yml file can constrain version number bumps, for example by forbidding major version number upgrades within a group, but some npm packages advance their version numbers much more rapidly than others, so something more fine-grained is required. Before Dependabot was grouping its upgrades, the usual way to control it was through comments on the individual pull requests, so before hard-coding constraints in the config file, experiments with comments following the

@dependabot ignore DEPENDENCY_NAME major version

pattern should show if targeting specific dependencies within the group will work.