tore-espressif
commented
2 years ago Done.
I don't have any experience with dependabot, so I'll keep this issue open for future evaluation/discussion
Open igrr opened 2 years ago
tore-espressif
commented
2 years ago Done.
I don't have any experience with dependabot, so I'll keep this issue open for future evaluation/discussion
igrr
commented
2 years ago Thanks @tore-espressif!
The PRs opened by dependabot have two problems now:
Still even in this form they are useful as a hint/reminder to us that some dependency might be outdated.
Edit: plus we need to remember to bump the version in idf_component.yml when the dependency is upgraded. So looks like we'll be taking over dependabot PRs anyway.
igrr
commented
2 years ago Given the above limitations, I'm thinking of adding a custom CI workflow instead of dependabot... This workflow could also update our idf_component.yml files and make the PRs mergeable.
igrr
commented
1 year ago This might be worth revisiting, especially since https://github.com/espressif/idf-extra-components/pull/146 adds two libraries which are known to sometimes have CVEs reported for them. It would be good to be able to get the new releases of these libraries published quickly.
Dependabot has basic support for tracking and upgrading dependencies expressed using git submodules (https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem). Consider setting it up for this repository to get notified whenever a dependency can be upgraded.
Note that we might need to wait for or contribute to https://github.com/dependabot/dependabot-core/issues/1639 first, as currently dependabot will try to upgrade to the latest commit, not to the latest tag.