This is just IMO, but getting my inbox flooded every month with hundreds of
dependabot PRs is annoying, even if I don't end up handling most of them myself
(thanks to others who do!). And then philosophically, I don't know if this is
even the right approach. I don't think that whoever merges these PRs actually
has the capacity or the knowledge to check that everything is still working as
expected. Often subtle things can break after package updates, like a class
name from an npm package not fitting to a style definition in our code anymore
(as happened once with e.g. codemirror in the past, and nobody noticed when
merging, and that bug is still present in Thanos' port of our UI). And you
can't look in detail at the UI for every little PR that dependabot sends.
Node module dependencies are inherently very noisy because there are so many of
them, but I think a better approach would be to update them maybe once or twice
a year (or whenever really needed), with all deps updated together, at a time
when a maintainer has the time to really look at things carefully, and then do
a comprehensive manual check of the UI to see that everything is still behaving
as before.
Signed-off-by: Julius Volz <julius.volz@gmail.com>
Until we have removed the code for the old UI, we should maintain the
dependabot configuration for security warnings.
Signed-off-by: SuperQ <superq@gmail.com>
The default limit of 5 is a bit small given the number of dependencies
we have for Go and JS. Increase to 20 to allow more updates to be
pushed.
Signed-off-by: SuperQ <superq@gmail.com>
Dependabot allows to group dependencies by a list of pattern.
This allows it on k8s.io and opentelemetry dependencies separately
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
Julius Volz
Matthieu MOREL
SuperQ
heyitao
Pedro Nacht
Augustin Husson
Julien Pivotto