Dependabot: Set weekly, grouped updates and daily security updates limit notifications and merges#701
Dependabot: Set weekly, grouped updates and daily security updates limit notifications and merges#701allella wants to merge 2 commits intohackgvl:developfrom
Conversation
irby
left a comment
irby
left a comment
There was a problem hiding this comment.
This looks good to me. I think this is a great idea to minimize noise caused by minor package upgrades but also prioritize security-focused updates where needed.
|
Are we sure that the |
|
I think this kind of format would work instead: # ----------------------------------------------------
# npm – Daily security updates
# ----------------------------------------------------
- package-ecosystem: npm
directory: "/"
schedule:
interval: daily
versioning-strategy: lockfile-only
# ----------------------------------------------------
# npm – Weekly grouped non-security updates (Tuesday)
# ----------------------------------------------------
- package-ecosystem: npm
directory: "/"
schedule:
interval: weekly
day: tuesday
versioning-strategy: lockfile-only
groups:
npm-all:
patterns:
- "*"
update-types:
- "minor"EDIT: It looks like Dependabot doesn't like this format I think the following format will do? I think Dependabot, by default, will always check for security updates daily. This config will just limit the minor updates to a weekly basis. version: 2
updates:
- package-ecosystem: npm
directory: "/"
schedule:
interval: "weekly"
day: "tuesday"
versioning-strategy: lockfile-only
groups:
npm-minor:
patterns:
- "*"
update-types:
- "minor" |
|
Thanks for the catch. Good thing we have people on this project as I believe the free Copilot and Gemini both had security-updates-only in there, but once you ask it confirms it's never been part of the .yml file. It must have been part of the old Dependabot code that it picked up on. While interagating Copilot, it pointed out security updates are an option inside of the repos settings. While in those settings, I see it has a "grouping" option as well. So, we may not need to update the .yml file. I'm going to try some clicking and see where that gets us. 
|
|
@irby Yesterday, I was told by one of the "interns" that versioning-strategy: lockfile-only will prevent us from updating anything more than minor, assuming our npm and composer aren't allowing anything major. The docs say lockfile-only Only create pull requests to update lockfiles. Ignore any new versions that would require package manifest changes. So, I'm wondering if is redundant. Also, since it seems Github is handling the security updates, we may get by with no daily configuration in the .yml file and just declare the weekly grouped updates for npm and composer. Finally, I thought the "grouping" setting was for all updates, but after posting I see the setting in Github says "Grouped security updates", so that's probably not helpful unless we want to group security updates as well as non-security updates. Maybe that's alright, but the non-security ones are a bit more annoying since there tend to be more of them. |
…t.yml. Add a comment about Github handling the daily security dependabot via an enabled setting.
|
I pushed in a new file that assumes we don't need to worry about security updates in the .yml and removes the bogus security-updates-only config. |
2 participants
This will allow security updates to continue on a daily basis.
Groups are enabled on the non-security updates to do one PR for any available minor updates at once. Since we are limiting things to minor version updates (via
versioning-strategy: lockfile-only) I'm assuming this won't create any large or complicated to review minor package updates. If so, we can adjust course.The open-pull-requests-limit previously limited the number of PRs opened at once. That could actually delay notifications if we didn't quickly close an earlier PR. This limit has been removed since the "groups" should make for few, larger non-security PRs. Plus, Dependabot can open multiple security PRs without a backlogged / queued up series that could create a new PR as soon as we just closed one, which seems like it creates more work and more CI/CD processing than if we are merging a number of PRs in bulk.