olleolleolle
commented
5 months ago In case there's no Gemfile.lock, the dependabot Bundler update, does that really do anything?
Closed geemus closed 5 months ago
olleolleolle
commented
5 months ago In case there's no Gemfile.lock, the dependabot Bundler update, does that really do anything?
geemus
commented
5 months ago @olleolleolle Great question.
With a Gemfile.lock it would be much more active (since it would tend to notify any time any version changed), but I believe it will still monitor and mention the dependencies in the Gemfile and gemspec if they should change. Depending on how tight those are, it may not come up often, but would be likely for major version bumps. I believe it also would monitor the dependency graph in the Gemfile/gemspec for any security issues that might arise, which might be more frequent.
I struggled to find clear documentation on this, but as an example if you look at the excon/excon (which also doesn't have a Gemfile.lock) dependency graph insights page it shows that it is monitoring the Gemfile (clicking the triple dots also shows that it is monitoring the gemspec): https://github.com/excon/excon/network/updates
Does that help/clarify?
olleolleolle
commented
5 months ago It won't hurt, and it won't be many PRs anyway. Go ahead, please!
olleolleolle
commented
5 months ago And, if we don't enjoy it, we can disable it and put a documenting comment in the YAML file and go on.
Description
I was working on config for faraday-excon and when updating it's dependabot stuff I saw you all didn't have bundler configured here either, so I thought I would offer the setup in case you want it.