Add dependabot #159
Add dependabot #159
Conversation
Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
|
Please see #117 (comment). @est31 Let me make sure. Did you change your thought since then? |
and set open-pull-requests-limit to 10 Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
I've changed dependabot to check for updates weekly instead of daily and also set |
|
Hi @qryxip , thanks for asking. Nothing much has changed in terms of my opinion on dependabot, the comment you linked to is still what I feel. For security updates it makes sense to have timely upgrades, but keeping the git repository always up to date for most dependencies in Cargo.lock is not really something that is good for the git history. It only really matters shortly before a release of cargo-udeps is done, so that's why I run cargo update before a release. Then, dependencies are up to date once the release happens. The next release is six weeks later, ideally. I have made a pause due to #151 but ideally the schedule is one cargo-udeps release every six weeks, unless there is something really pressing that needs a new release immediately. The coarsest level supported by dependabot is monthly upgrades but that's not what we need: we need an upgrade once every six weeks. There is an issue in the dependabot repository about cron expression support. Once we have that we can maybe tune it to run one day after the release or so. The other blocker is that dependabot creates one PR for each dependency, which is wasteful as well. There is a long standing issue on github about this, and the latest comments say they are working on the feature, so maybe we'll see something soon. Note that the rust compiler repository is on the opposite end, they haven't run a general |
|
Ok, I will close this PR then. |
Signed-off-by: Jiahao XU Jiahao_XU@outlook.com