Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependabot suggestion #10352

Closed
ccoVeille opened this issue Jul 12, 2024 · 6 comments
Closed

Dependabot suggestion #10352

ccoVeille opened this issue Jul 12, 2024 · 6 comments

Comments

@ccoVeille
Copy link

May I suggest you to use the groups feature in dependabot?

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups

This could reduce the number of PRs

You can have a look at what was done in this repository when I suggested it

Zxilly/go-size-analyzer@ec9c028

It would drastically reduce the number of PRs opened by dependabot because they will be grouped.
@ccoVeille
Copy link
Author

This request is somehow related to

@chris48s
Copy link
Member

We do use groups for bumping packages that need to be upgraded in step e.g:

shields/.github/dependabot.yml

Lines 19 to 32 in 848e409

groups:
# All official @docusaurus/* packages should have the exact same version as @docusaurus/core.
# From https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups:
# "You cannot apply a single grouping set of rules to both version updates and security
# updates [...] you must define two, separately named, grouping sets of rules"
# See https://github.com/badges/shields/issues/10242 for more information.
docusaurus-version-updates:
applies-to: version-updates
patterns:
- '@docusaurus/*'
docusaurus-security-updates:
applies-to: security-updates
patterns:
- '@docusaurus/*'

Conceptually, I prefer not to lump them together arbitrarily.

What is your motivation for raising this issue? As someone who does not review PRs on this repo, what difference does it make how we manage this?

@ccoVeille
Copy link
Author

I'm watching the repository, and I'm getting so much notification about dependabot updates that wants to bump things

@ccoVeille
Copy link
Author

My issue finds some replies in what posted there

#10351 (comment)

While reducing the frequency could help, I think that some dependency could get bumped together

@chris48s
Copy link
Member

OK. Personally I find a PR like this
encode/httpx#3233
is just unhelpful to try and review and difficult to unpick if something fails. I care about that more than the number of notifications.

If you like this feature and want to use it on your own repos, enjoy.

If you want to watch the repo anyway, maybe GitHub's watch settings can help you focus on the stuff you are interested in:

Screenshot at 2024-07-13 14-13-29

@chris48s chris48s closed this as not planned Won't fix, can't repro, duplicate, stale Jul 13, 2024
@ccoVeille
Copy link
Author

I understand. Thanks for replying

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ccoVeille @chris48s