Adds automatic dependabot checks #135
Conversation
| - package-ecosystem: "npm" # See documentation for possible values | ||
| directory: "/" # Location of package manifests | ||
| schedule: | ||
| interval: "monthly" |
There was a problem hiding this comment.
On one of the projects I work on, we have this set to "monthly", and then we allow dependabot to create as many simultaneous PRs as it wants, which results in one day a month with lots and lots of dependency PRs, and then no dependency PRs for the rest of the month.
In some ways, not having constant "dependabot noise" feels nice. The cost, of course, is a bigger barrage of PRs once a month.
For a project as small as our website, though, I think either way is fine. We don't have don't many dependencies to begin with.
There was a problem hiding this comment.
@anaulin agree. I set to monthly for that reason -- this site is fairly small. Is there an additional setting for depbot to create "simultaneous" PRs or was that just a figure of speech?
There was a problem hiding this comment.
Not a figure of speech. By default, dependabot opens at most 5 simultaneous PRs for version updates; so if you need more than 5 updates in a month, and the frequency is set to monthly, then it will open 5 PRs and stop until the next month, and some of your dependencies will go un-updated.
You can see this in action on the Convene repo, where dependabot opens 5 PRs each week(ish).
There is a setting to let dependabot open PRs up to a set number: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit
There was a problem hiding this comment.
I like the monthly + unlimited!
No description provided.