Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot not working as intended #545

Open
paulcretu opened this issue Jul 25, 2024 · 4 comments
Open

Dependabot not working as intended #545

paulcretu opened this issue Jul 25, 2024 · 4 comments

Comments

@paulcretu
Copy link
Member

Issues with dependabot so far (config is here):

  1. It's not respecting the open-pull-requests-limit and keeps opening copies of already existing pull requests
    image

  2. The groups config mostly works at reducing the number of PRs, but I tried setting up a catchall group (misc) which is misbehaving. Once a PR for the misc group is created, it starts including packages already covered by other groups (example PR). My intention was to have the misc group include only packages that weren't part of any other group. My reading of the dependabot docs is that this should work... but it doesn't:

Dependabot creates groups in the order they appear in your dependabot.yml file. If a dependency update could belong to more than one group, it is only assigned to the first group it matches with.

  1. There's no good way to set a delay on updates if you want to wait a few weeks before bumping to the latest. 2 reasons for this:
    • Sometimes dependencies have peer conflicts that can take a bit to get resolved upstream. This happened to me with eslint-plugin recently. Not a huge deal, just slightly annoying. I manually ignored that minor version.
    • It's maybe a good practice to wait for the dust to settle before upgrading to the latest release of something and not have such tight coupling on updates (Crowdstrike incident sorta comes to mind)

I'm not particularly inclined to investigate/report these issues because it's already been more hassle than it's worth. I'm considering either switching to Renovate which seems to have more active devs, or going back to doing updates manually every now and then.
@paulcretu
Copy link
Member Author

Renovate has a minimumReleaseAge feature that addresses #3: https://docs.renovatebot.com/configuration-options/#minimumreleaseage

@dthaler
Copy link
Contributor

dthaler commented Jul 26, 2024

For 1-2, there were a number of recent dependabot fixes it looks like, and dependabot closed the orcasite PRs that you pointed to and replaced them with ones that don't exhibit the problems that I can see. So it seems like we should watch it for a bit and see if the issues resurface or if they have been resolved.

@paulcretu
Copy link
Member Author

I saw that, hopefully the problems are fixed! Overall this is a low priority issue, so I fully agree on waiting to see what happens

@paulcretu
Copy link
Member Author

paulcretu commented Aug 13, 2024
edited
Loading

One more minor nuisance with Dependabot: there's no automatic way to only use LTS versions

For example, I'd like to stay on the latest LTS version of node, but the only way to do so right now is to manually ignore every non-LTS version. And it's not as simple as just ignoring odd-numbered releases, because even-numbered releases don't become LTS until 6 months in.

Found an open issue for this, but also it seems like Renovate may be able to handle it better.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Orcasite dev
Status: triage
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paulcretu @dthaler