Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider alternatives to Dependabot #4412

Open
iaindillingham opened this issue Jul 3, 2024 · 1 comment
Open

Consider alternatives to Dependabot #4412

iaindillingham opened this issue Jul 3, 2024 · 1 comment

Comments

@iaindillingham
Copy link
Member

Working with Dependabot can be time-consuming. Recently, for example, I asked why Dependabot hadn't bumped django-permissions-policy since v4.12.0,1 which was released on 2022-06-05. The latest version is 4.20.0, which was released on 2024-06-19. The reason? We'd instructed Dependabot to ignore django-permissions-policy with @dependabot ignore, and since then had been bumping it ourselves. The following table shows the timeline.

Date PR Description
2022-01-11 #1516 Dependabot bumped from 4.6.0 to 4.7.0
2022-01-17 #1529 we bumped from 4.7.0 to 4.8.0
2022-02-17 #1613 we instructed Dependabot to ignore
2022-02-18 #1614 we created issue asking for it to be removed
2022-07-25 #1946 we bumped from 4.8.0 to 4.12.0
2022-08-30 #1614 we closed issue
2024-07-03 #1613 we instructed Dependabot not to ignore
2024-07-03 #4411 Dependabot bumped from 4.12.0 to 4.20.0

In summary, django-permissions-policy was never removed. It was, in effect, pinned by the instruction to Dependabot between 2022-02-17 and 2024-07-03.

Creating a timeline is time-consuming. Whilst it's not necessary, it is useful to understand what happened when. Here, it seems as though we'd forgotten about the instruction to Dependabot and had been living with the consequences ever since. "The consequences" aren't limited to bumping a dependency ourselves; they include not using the latest version of a dependency in production.

I'd argue that @dependabot ignore is a bug, not a feature. Either way, it's certainly a headache: See dependabot/dependabot-core#2255. We've had several conversations about Dependabot's limitations. We should consider alternatives, such as Mend.io's Renovate. @evansd linked to a blog post by Jamie Tanna about it.2

Footnotes

  1. https://bennettoxford.slack.com/archives/C069SADHP1Q/p1719946121312349

  2. https://bennettoxford.slack.com/archives/C01T2HACV3K/p1713174069344909

@lucyb
Copy link
Contributor

lucyb commented Jul 9, 2024

We've agreed to limit the scope to just Job Server and time boxing the investigation and work. We should look at what the alternatives to Dependabot are, beyond Renovate, and select one to use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iaindillingham @lucyb