izaera
commented
4 years ago Should we do the same things for the rest of the projects?
Closed wincent closed 4 years ago
izaera
commented
4 years ago Should we do the same things for the rest of the projects?
julien
commented
4 years ago @izaera I think that's a good idea
wincent
commented
4 years ago Should we do the same things for the rest of the projects?
@izaera I think that's a good idea
Ok, let's try it here first, and if it works, do it for le reste.
Dependabot spams us with update PRs that we don't want to merge because of the reasons described here.
Most importantly, there are drawbacks to lockfile-only updates (they are too easily reverted or misunderstood, for example) and we prefer to batch our security updates together based on some human assessment of impact/urgency etc.
So, this setting file should ensure that Dependabot only keeps at most one PR open at a time (the default is 10, I believe), and it runs weekly (the default, I believe). Additionally, given that we want these PRs only as a cue for a human to schedule a periodic manual audit, we turn off automatic rebasing to further reduce noise.
Test plan: Sadly, I don't think I can test it, short of shipping it and then monitoring. At the moment we have 6 dependency update PRs open in this repo. I'll close them and replace them with a manual update ticket, and then we'll have to watch and see whether the PR count stays at 1 or below.
Closes: https://github.com/liferay/liferay-npm-tools/issues/415