-
-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add renovate and bolt for auto-package updates, and CVE's #36
base: main
Are you sure you want to change the base?
Conversation
Hi @davidzwa thanks for the PR! Renovate looks like an interesting alternative to Dependabot, which doesn’t seem to do its job on this repo for whatever reason. Can you explain why renovate works best with pinned dependency versions? This change is currently causing a conflict that’s preventing the merge. As a library author pinned versions are generally a no no since we actually want library consumers to use the latest, safe versions of all library deps. I think this change would mean that users of openapicmd have to now manually override dependency versions using Otherwise LGTM. |
Good question! I just looked it up to be sure. They actually do not require it like I initially thought 👍🏼 So my follow-up question is: shall we pin the devDependencies? Those are not required for external use.
I agree.
Yeah not a workable solution. See answer above
Will fix the conflict now |
I've completely removed and re-locked with NPM. There is quite a lot of wiggle room, which also could lead to bugs later as users might have a different set of packages installed. @anttiviljami we should discuss the non-pinning range strategy next. Could you take a look at these 3 sections:
Viable options in my opinion are: |
@anttiviljami interested in your review. |
Segfault during tests 🤔 Any idea @davidzwa ? |
Renovate doesn't need pinned versions in your package.json If you pin dependencies in your package, know that users are forced to use that pinnen version. So be careful to pin dependencies. |
Fixes #33
Might fix #34
CI
(optional)What will happen?
main
to keep users informed about their status)In case of questions about Renovate and/or Bolt. Please ask away!