search

orcasound / orcasite

Live-listening web app -- http://live.orcasound.net :star:
http://live.orcasound.net
GNU Affero General Public License v3.0
50 stars 51 forks source link

Dependabot not working as intended #545

Open paulcretu opened 1 month ago

paulcretu commented 1 month ago

Issues with dependabot so far (config is here):

  1. It's not respecting the open-pull-requests-limit and keeps opening copies of already existing pull requests image

  2. The groups config mostly works at reducing the number of PRs, but I tried setting up a catchall group (misc) which is misbehaving. Once a PR for the misc group is created, it starts including packages already covered by other groups (example PR). My intention was to have the misc group include only packages that weren't part of any other group. My reading of the dependabot docs is that this should work... but it doesn't:

    Dependabot creates groups in the order they appear in your dependabot.yml file. If a dependency update could belong to more than one group, it is only assigned to the first group it matches with.

  3. There's no good way to set a delay on updates if you want to wait a few weeks before bumping to the latest. 2 reasons for this:

    • Sometimes dependencies have peer conflicts that can take a bit to get resolved upstream. This happened to me with eslint-plugin recently. Not a huge deal, just slightly annoying. I manually ignored that minor version.
    • It's maybe a good practice to wait for the dust to settle before upgrading to the latest release of something and not have such tight coupling on updates (Crowdstrike incident sorta comes to mind)

I'm not particularly inclined to investigate/report these issues because it's already been more hassle than it's worth. I'm considering either switching to Renovate which seems to have more active devs, or going back to doing updates manually every now and then.

paulcretu commented 1 month ago

Renovate has a minimumReleaseAge feature that addresses #3: https://docs.renovatebot.com/configuration-options/#minimumreleaseage

dthaler commented 1 month ago

For 1-2, there were a number of recent dependabot fixes it looks like, and dependabot closed the orcasite PRs that you pointed to and replaced them with ones that don't exhibit the problems that I can see. So it seems like we should watch it for a bit and see if the issues resurface or if they have been resolved.

paulcretu commented 1 month ago

I saw that, hopefully the problems are fixed! Overall this is a low priority issue, so I fully agree on waiting to see what happens

paulcretu commented 1 month ago

One more minor nuisance with Dependabot: there's no automatic way to only use LTS versions

For example, I'd like to stay on the latest LTS version of node, but the only way to do so right now is to manually ignore every non-LTS version. And it's not as simple as just ignoring odd-numbered releases, because even-numbered releases don't become LTS until 6 months in.

Found an open issue for this, but also it seems like Renovate may be able to handle it better.