Open paulcretu opened 1 month ago
Renovate has a minimumReleaseAge
feature that addresses #3: https://docs.renovatebot.com/configuration-options/#minimumreleaseage
For 1-2, there were a number of recent dependabot fixes it looks like, and dependabot closed the orcasite PRs that you pointed to and replaced them with ones that don't exhibit the problems that I can see. So it seems like we should watch it for a bit and see if the issues resurface or if they have been resolved.
I saw that, hopefully the problems are fixed! Overall this is a low priority issue, so I fully agree on waiting to see what happens
One more minor nuisance with Dependabot: there's no automatic way to only use LTS versions
For example, I'd like to stay on the latest LTS version of node, but the only way to do so right now is to manually ignore every non-LTS version. And it's not as simple as just ignoring odd-numbered releases, because even-numbered releases don't become LTS until 6 months in.
Found an open issue for this, but also it seems like Renovate may be able to handle it better.
Issues with dependabot so far (config is here):
It's not respecting the
open-pull-requests-limit
and keeps opening copies of already existing pull requestsThe groups config mostly works at reducing the number of PRs, but I tried setting up a catchall group (
misc
) which is misbehaving. Once a PR for the misc group is created, it starts including packages already covered by other groups (example PR). My intention was to have the misc group include only packages that weren't part of any other group. My reading of the dependabot docs is that this should work... but it doesn't:There's no good way to set a delay on updates if you want to wait a few weeks before bumping to the latest. 2 reasons for this:
I'm not particularly inclined to investigate/report these issues because it's already been more hassle than it's worth. I'm considering either switching to Renovate which seems to have more active devs, or going back to doing updates manually every now and then.