Closed nelsonic closed 1 year ago
I don't think we can only update the minor
versions and ignoring the patches
.
I suspect the way Dependabot works is by checking the version "rules" in mix.exs
:
see https://hexdocs.pm/elixir/Version.html
I was more specifficaly looking if "~>" could be use for minor version only but I don't think it is the way it works.
On the Dependabot configuration I can't see either a way to only update the minor versions only.
However we can definitely run Dependabot weekly/monthly and at a specific time.
If we search for the dependabot.yml
file in the dwyl org we have 48 files found:
https://github.com/search?q=org%3Adwyl+filename%3Adependabot.yml&type=code
I'm not sure if there is an automatic way to update automatically these files, I think it will be quicker to go over them manually to update the configuration.
@SimonLab yeah, we will definitely have to do this manually. But we can do them ad hoc.
e.g: next time there is a @dependabot PR we use that as an opportunity to update the dependabot.yml
in that repo.
I just want to have a clear understanding of what that file needs to contain so that we can copy-paste it and be done. 📋
I think I've now updated most of the dependabot configuration to run weekly. It's possible that I might have missed some, but we should now have a lot less daily noise
What I was suggesting was reading the docs for the ignore
configuration:
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#creating-ignore-conditions-from-dependabot-ignore
e.g:
ignore:
- dependency-name: "express"
# For Express, ignore all updates for version 4 and 5
versions: ["4.x", "5.x"]
# For Lodash, ignore all updates
- dependency-name: "lodash"
# For AWS SDK, ignore all patch updates
- dependency-name: "aws-sdk"
update-types: ["version-update:semver-patch"]
So ours would simply ignore all the dev
dependencies:
ignore:
# ignore all patch updates in dev dependencies ref: github.com/dwyl/technology-stack/issues/126
- dependency-name: "credo"
update-types: ["version-update:semver-patch"]
- dependency-name: "excoveralls"
update-types: ["version-update:semver-patch"]
- dependency-name: "ex_doc"
update-types: ["version-update:semver-patch"]
- dependency-name: "esbuild"
update-types: ["version-update:semver-patch"]
- dependency-name: "floki"
update-types: ["version-update:semver-patch"]
- dependency-name: "phoenix_live_reload"
update-types: ["version-update:semver-patch"]
We could steadily add to this list as needed.
Thinking we will just have a comprehensive list of non-core/essential dependencies that we just ignore patch updates for:
version: 2
updates:
- package-ecosystem: mix
directory: "/"
schedule:
interval: weekly
time: "17:00"
timezone: Europe/London
ignore:
# ignore all patch updates in dev dependencies ref: github.com/dwyl/technology-stack/issues/126 [alphabetical list]
- dependency-name: "credo"
update-types: ["version-update:semver-patch"]
- dependency-name: "dialyxir"
update-types: ["version-update:semver-patch"]
- dependency-name: "excoveralls"
update-types: ["version-update:semver-patch"]
- dependency-name: "ex_doc"
update-types: ["version-update:semver-patch"]
- dependency-name: "esbuild"
update-types: ["version-update:semver-patch"]
- dependency-name: "floki"
update-types: ["version-update:semver-patch"]
- dependency-name: "gettext"
update-types: ["version-update:semver-patch"]
- dependency-name: "mock"
update-types: ["version-update:semver-patch"]
- dependency-name: "phoenix_live_dashboard"
update-types: ["version-update:semver-patch"]
- dependency-name: "phoenix_live_reload"
update-types: ["version-update:semver-patch"]
Should this be closed? https://github.com/dwyl/mvp/pull/344 was already merged and @SimonLab already pushed a few PR to a handful of repos with this change.
Indeed. The issue was assigned to @LuchoTurtle but no comment was made. so @SimonLab picked up the task. ✅
while
it's good to have our dependencies up-to-date the number of @dependabot PRs is getting a bit ridiculous ...It's very noisy to have this many PRs spamming our notifications each morning. 🤦♂️
Often they are for
minor
updates likebuild(deps-dev): Bump excoveralls from 0.16.0 to 0.16.1
🙄 We really don't care about these minorDev
dependency updates ... 👎Todo
0.16.0 to 0.16.1
completely and only update when apatch
e.g:0.16.0 to 0.17.0
or major is released.07:00
to something like16:00
so that it doesn'tspam
us first thing in the morning.@LuchoTurtle if you have
T1h
, please read the Docs https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file and figure out how we can ignore the minor releases ofdev
dependencies. Do we need to list them all individually? in which case please start that list. 🙏