New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: enable GitHub Dependabot #2311
Conversation
@ylemkimon I agree with this PR and I agree that PR #2301 should be merged first. If you could update these branches with the base branch, I would be happy to give them a positive review. In the meantime, I have a question. In my local repository, I just tried to run |
This comment has been minimized.
This comment has been minimized.
@ronkok Try |
Codecov Report
@@ Coverage Diff @@
## master #2311 +/- ##
=======================================
Coverage 94.76% 94.76%
=======================================
Files 84 84
Lines 5382 5382
Branches 943 943
=======================================
Hits 5100 5100
Misses 258 258
Partials 24 24
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I want to thank you for your attention to all the infrastructure details. It's not easy keeping up with Javascript churn.
@ronkok Thank you for the review! |
I can confirm the Dependabot is running on GitHub: https://github.com/KaTeX/KaTeX/network/updates/39449665. |
Do dependabot builds also trigger netlify builds? |
@kevinbarabash Yes, they do. I was thinking of a way to disable them. |
In different project I tried using https://docs.netlify.com/configure-builds/file-based-configuration/#ignore-builds and checking the author of the commits. It kind of worked, but whenever I updated a PR before merging it would run a netlify build because the author of the merge commit was me. 😞 |
Dependabot is now part of GitHub and can be configured within the repo.
Regarding #2035, I think we should enable it for all dependencies as (1) KaTeX build process may break even if it's minor update as in #2301, (2) it's easier to review and fix when there are few changes to the dependency, and (3) performance and compatibility might improve.
By default, it raises a maximum of five pull requests, and this value is configurable. I think this is a reasonable amount. There seems to be an auto-merge feature, if the backlog of PRs is a concern.
As most of our dependencies are outdated, I think we should get #2301 merged first, before enabling Dependabot.