Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade dependencies #103

Merged
merged 1 commit into from
Sep 28, 2023
Merged

Upgrade dependencies #103

merged 1 commit into from
Sep 28, 2023

Conversation

rygine
Copy link
Collaborator

@rygine rygine commented Sep 28, 2023

This PR just upgrades dependencies. There will be no release.

@rygine rygine requested a review from a team September 28, 2023 15:08
@changeset-bot
Copy link

changeset-bot bot commented Sep 28, 2023

⚠️ No Changeset found

Latest commit: e18a08a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

neekolas
neekolas approved these changes Sep 28, 2023
View reviewed changes
Copy link
Contributor

@neekolas neekolas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add a .dependabot.yaml file to this repo and automate this process. It has enough test coverage and is well-typed enough to catch issues if they were to come up.

@rygine rygine merged commit 1219db6 into main Sep 28, 2023
@rygine rygine deleted the rygine/dep-upgrades branch September 28, 2023 15:14
@rygine
Copy link
Collaborator Author

rygine commented Sep 28, 2023

We should add a .dependabot.yaml file to this repo and automate this process. It has enough test coverage and is well-typed enough to catch issues if they were to come up.

i have reservations about dependabot.

  1. IME, it will directly update lock files for dependencies of dependencies instead of changing the version in package.json. this can break dependencies that are not expecting that version, especially if an author misuses semver.
  2. PR spam
  3. some upgrades will just break things, even if they're patch updates, as is the case currently

bottom line, i simply don't trust dependabot and would rather do this process manually. perhaps things have changed since i last used it, but in the past it was just another system to manage that caused headaches.

@neekolas
Copy link
Contributor

PR spam is real. I just have it do the check once a week for bot kit pro, so it's a Monday morning chore to review them all. You can then review in a batch and have dependabot merge them in sequence and rebase/retest each PR before it automerges.

You're right that it directly updates lock files, which can break deps.

If there are reasonable tests for the code, 1 and 3 should get caught in CI and stop there.

You're the primary maintainer of this repo. It's your call. As long as deps regularly get updated, I'm happy.

@neekolas
Copy link
Contributor

I think I turned on Dependabot for all repos for critical security updates only. Those are rare but obviously beneficial.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neekolas neekolas neekolas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rygine @neekolas