Open connorshea opened 6 years ago
I've had this suggested before, and I like the idea of a @dependabot convert to issue
command. Shouldn't take too long to implement, although I have a few bugs to crush first.
Thanks for the feedback! 🙏
I haven't tested the "lock file updates only" feature yet, but if it doesn't do this, this may be a great way to support that feature, while also letting engineers know about newer releases.
Feedback from https://github.com/dependabot/feedback/issues/380
I have opted out from dependabot some time ago but I'm still need some kind of notifications :) Is it possible to configure dependabot to create issues about available updates instead of pull requests?
This would be a great setting. For some of our project, we really only want the core value of dependabot that is knowing that updates exist, with changelog and links, in order to request support budget from clients. The pull requests provide this but also eat our CI quota for small benefit, as we may wait a few weeks before being able to properly review and test the updates.
@greysteil any news ?
It would be super useful if when dependabot cannot create a PR for the alert that it created an issue instead, so it can be assigned to a specific person.
If creating tickets automatically is hard, could you add a button that copies the markdown of the alert when viewing it from Security > Dependabot alerts
?
Is this still not available 6 years later? Why even is this issue open then if no one cares?
Any update on this?
It kind of blows my mind that blindly pushing version upgrades is acceptable. I've always checked the changelog of each dependency before pushing any upgrades, so having dependabot create an issue instead is such a great idea.
...but 6 years with no talk about adding it seems like it's never going to happen.
So I have a project called mdn-compat-data-explorer, and it uses an npm package called mdn-browser-compat-data.
The package is heavily integrated into the project, so dependabot opening a PR isn't very useful as simply updating the package won't work and the tests will fail. When I update the package, I have to do a bunch of other stuff manually, like regenerating the JSON data file.
So in this case, it'd be nice if dependabot could open an issue to tell me that the package was updated rather than opening a PR that'll fail anyway.