-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add dependabot #991
Add dependabot #991
Conversation
Codecov ReportBase: 58.12% // Head: 58.08% // Decreases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## master #991 +/- ##
==========================================
- Coverage 58.12% 58.08% -0.05%
==========================================
Files 100 100
Lines 2295 2295
Branches 260 260
==========================================
- Hits 1334 1333 -1
Misses 917 917
- Partials 44 45 +1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
The yml file looks good to me, but perhaps other senior developers who have worked with dependabot before can help to cross-check before we merge this pull request. 😀 Other developers who are also unfamiliar with dependabot, this is the document that I referred to: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file Also, would like to know other developers' thoughts of adding one more |
I think the dependabot config is okay. However, I think most of the outdated packages in our repo are due to the outdated Angular version that we are using. I do not think we should upgrade these dependencies without upgrading Angular to the LTS version, unless there are severe security vulnerabilities or any critical fixes required. That's why it is important to keep Angular up to date.
I think this is a good idea too. |
@CATcher-org/developers Please let us know your thoughts on @chunweii 's comment. From the Dependabot document, it seems quite safe to have Dependabot automatically introduce changes since we can run tests & review the updates:
|
I have not used Dependabot myself, but according to the documentation:
I think it is possible for CATcher to use Dependabot even if we do not use the latest version of Angular, if Dependabot accounts for the current version of Angular/Typescript CATcher is using before suggesting dependency upgrades. |
@gycgabriel Thanks for your input. I think we can proceed to merge this PR |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Summary:
Fixes #771
Changes Made:
This PR will configure dependabot to create PRs to update outdated npm dependencies at a weekly interval (at a random time). As far as I understand, it will help us identify outdated packages and reduce the mundane workload when updating our dependencies.
I set the
open-pull-requests-limit
to 20 since we have a large number of outdated dependencies but maybe our more experienced developers can further advise on the config 🙂Proposed Commit Message: