This happened to be a major version bump, indicating breaking changes. While hunting down the release notes, I happened to notice that the maintainer had temp closed the issue tracker to reduce folks filing tickets because things don't work anymore:
Having the release notes / changelog front and center in the Dependabot PR's helps not only our users, but also maintainers because users are more likely to see the notes before they file a new issue. For example, contrast the above PR with this which makes it super easy to see release notes / changelog:
I was going to email the flake8 maintainer, when I realized we should really have a public doc we can link to that shows maintainers how to more easily expose their projects metadata in a way we expect.
The metadata fetch process will vary by ecosystem, so ultimately we should have a few notes and then link to that ecosystem's package index doc on how to expose metadata... but I expect some package index docs don't have a doc like that, so it's an opportunity for us to work with them to create one. That will help those entire ecosystems, not just Dependabot.
I noticed a recent Dependabot PR of a popular project is missing the
changelog
andrelease notes
sections:This happened to be a major version bump, indicating breaking changes. While hunting down the release notes, I happened to notice that the maintainer had temp closed the issue tracker to reduce folks filing tickets because things don't work anymore:
Having the release notes / changelog front and center in the Dependabot PR's helps not only our users, but also maintainers because users are more likely to see the notes before they file a new issue. For example, contrast the above PR with this which makes it super easy to see release notes / changelog:
I was going to email the
flake8
maintainer, when I realized we should really have a public doc we can link to that shows maintainers how to more easily expose their projects metadata in a way we expect.The metadata fetch process will vary by ecosystem, so ultimately we should have a few notes and then link to that ecosystem's package index doc on how to expose metadata... but I expect some package index docs don't have a doc like that, so it's an opportunity for us to work with them to create one. That will help those entire ecosystems, not just Dependabot.