You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Working with Dependabot can be time-consuming. Recently, for example, I asked why Dependabot hadn't bumped django-permissions-policy since v4.12.0,1 which was released on 2022-06-05. The latest version is 4.20.0, which was released on 2024-06-19. The reason? We'd instructed Dependabot to ignore django-permissions-policy with @dependabot ignore, and since then had been bumping it ourselves. The following table shows the timeline.
In summary, django-permissions-policy was never removed. It was, in effect, pinned by the instruction to Dependabot between 2022-02-17 and 2024-07-03.
Creating a timeline is time-consuming. Whilst it's not necessary, it is useful to understand what happened when. Here, it seems as though we'd forgotten about the instruction to Dependabot and had been living with the consequences ever since. "The consequences" aren't limited to bumping a dependency ourselves; they include not using the latest version of a dependency in production.
I'd argue that @dependabot ignore is a bug, not a feature. Either way, it's certainly a headache: See dependabot/dependabot-core#2255. We've had several conversations about Dependabot's limitations. We should consider alternatives, such as Mend.io's Renovate. @evansd linked to a blog post by Jamie Tanna about it.2
We've agreed to limit the scope to just Job Server and time boxing the investigation and work. We should look at what the alternatives to Dependabot are, beyond Renovate, and select one to use.
Working with Dependabot can be time-consuming. Recently, for example, I asked why Dependabot hadn't bumped django-permissions-policy since v4.12.0,1 which was released on 2022-06-05. The latest version is 4.20.0, which was released on 2024-06-19. The reason? We'd instructed Dependabot to ignore django-permissions-policy with
@dependabot ignore
, and since then had been bumping it ourselves. The following table shows the timeline.In summary, django-permissions-policy was never removed. It was, in effect, pinned by the instruction to Dependabot between 2022-02-17 and 2024-07-03.
Creating a timeline is time-consuming. Whilst it's not necessary, it is useful to understand what happened when. Here, it seems as though we'd forgotten about the instruction to Dependabot and had been living with the consequences ever since. "The consequences" aren't limited to bumping a dependency ourselves; they include not using the latest version of a dependency in production.
I'd argue that
@dependabot ignore
is a bug, not a feature. Either way, it's certainly a headache: See dependabot/dependabot-core#2255. We've had several conversations about Dependabot's limitations. We should consider alternatives, such as Mend.io's Renovate. @evansd linked to a blog post by Jamie Tanna about it.2Footnotes
https://bennettoxford.slack.com/archives/C069SADHP1Q/p1719946121312349 ↩
https://bennettoxford.slack.com/archives/C01T2HACV3K/p1713174069344909 ↩
The text was updated successfully, but these errors were encountered: