Closed GoliathLabs closed 1 year ago
Hi,
I will take a look at some point, but GitHub has similar features integrated without any tooling.
We have two types of dependencies:
I will never use npm
. Horrible tool compared to yarn
.
@xf- Hi, Dependabot is a tool from GitHub which you even did use with a few dependencies which had security issues.
Dependabot uses ecosystems for it's configuration. the npm ecosystem does include the yarn package manager and does update the packages accordingly (see: https://github.com/ffrgb/meshviewer/commit/bdb63645387b8e4f678fecb4def65e9b170dd47c)
I never used dependabot as merge. I always upgrade all dependencies, but somebody did.
What is the difference to GitHub, it does already by them self.
In general, I try to avoid to increase dependencies to GitHub specific features.
About NPM covering also yarn s stupid naming on GitHubs side. NodeJS is Lang and NPM uses a different look file. Didn't knew that and only seeing your commit message with the change to npm.
Like i wrote, i will think about it. My Inital thought is, there is no need to add it. I see no advantage adding it and in general most libarys have incompatible new version and best thing would be a rewritten meshviewer with modern module loader. I want to test updates before they are added into develop/main branches.
Description
I already use Dependabot for many projects. With Dependabot it is relatively easy to stay up to date with the dependencies and packages used. Instead of always checking for updates manually, you can use the dependabot.yml configuration to tell Dependabot to check the project once a week for new releases of e.g. the npm/yarn dependencies that are used or newer Docker image tags. If there are new updates, a new pull request is automatically created for them.
Motivation and Context
Since this procedure takes at least some work off my hands over at my projects, I wanted to ask if you would be up to using it as well.
How Has This Been Tested?
Screenshots/links (if appropriate):
Checklist: