Open Willgg opened 2 years ago
The reason of adopting dependabot is to keep node modules updated, which I think we should because it's important to keep modules properly updated for software management.
Currently I should've setted dependabot flow bimonthly and to main branch (with my check), but I think it's fine if it's to dev branch with someone's check, which is checking changelog of the modules and some verisons, merging, and making sure if the modules and the project with updated moduels are fine (automated is better).
In the future I think it's really helpful for us to have a person being responsible for dev infra and CI/CD.
For now I'll fix the dependabot workflow and the flow as I said in the last comment, and close this issue
It is cool to have something to check for updates but then we have to update the packages accordingly. Otherwise we have the notification and PR open forever and that is messy.
Yes you're right and I agree with you. Since you want to keep the nice team work from now on, I'll make sure I'll clean bimonthly as soon as PRs are created if you have no problem with that. Or, if you have some other solutions I would like to know.
@Willgg why unassigned??
Maybe we can keep the alerts for updates related to security and remove the other one.
Keeping updated is also about making it secure. There will be deprecated codes and modules as we're developing.
Yes it is up to you ! but keep in mind that sometimes a major update may requires huge change to the codebase as it can break things.
There are almost 20 branches opened by dependabot. We have two choices:
What do you we do ?