build: improve Dependabot integration #862
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
At the moment we try to update dependencies on a daily basis regardless of their type.
This causes a small disruption in case of certain packages, i.e.
@types/*
orrollup
, as they are updated more frequently, therefore plenty of PRs are created.Developer dependencies do not need to updated that often, as we usually use a small subset of their functionality and don't use them directly in a production environment, therefore as long as our own developer experience is not affected or they don't come up a significant improvement, we don't need to check for updates daily.
Production dependencies, on the other hand, are usually more important, as they contain actual bugfixes or features impacting end users. Moreover, by performing regular updates, we are less prone to be affected by breaking changes, since deprecation notices are thrown at us more often allowing us to get rid of the deprecated part.
The PR makes all production packages to be checked in a live mode (PRs should be created as soon as the change is up). Besides that, all Stoplight packages are updated in that mode as well, no matter what their type is. Last but not least, all security updates coming from dev dependencies are checked in real-time too.
DevDependencies are scheduled to be updated on a weekly basis.
I hope I didn't screw the config 😅