Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: configure dependabot to reduce noise #1431

Merged
merged 1 commit into from
Sep 8, 2020
Merged

chore: configure dependabot to reduce noise #1431

merged 1 commit into from
Sep 8, 2020

Conversation

wincent
Copy link
Contributor

@wincent wincent commented Sep 8, 2020

This is analogous to the PR in liferay-npm-tools here:

liferay/liferay-npm-tools#490

Copying the rationale here:

Dependabot spams us with update PRs that we don't want to merge because of the reasons described here:

https://github.com/liferay/liferay-frontend-guidelines/blob/master/general/security.md

Most importantly, there are drawbacks to lockfile-only updates (they are too easily reverted or misunderstood, for example) and we prefer to batch our security updates together based on some human assessment of impact/urgency etc.

So, this setting file should ensure that Dependabot only keeps at most one PR open at a time (the default is 10, I believe), and it runs weekly (the default, I believe). Additionally, given that we want these PRs only as a cue for a human to schedule a periodic manual audit, we turn off automatic rebasing to further reduce noise.

Test plan: Sadly, I don't think I can test it, short of shipping it and then monitoring. At the moment we have 6 dependency update PRs open in this repo. I'll close them and replace them with a manual update ticket, and then we'll have to watch and see whether the PR count stays at 1 or below.

@wincent
chore: configure dependabot to reduce noise
4a7295b 
This is analogous to the PR in liferay-npm-tools here:

liferay/liferay-npm-tools#490

Copying the rationale here:

> Dependabot spams us with update PRs that we don't want to merge
> because of the reasons described here:
>
> https://github.com/liferay/liferay-frontend-guidelines/blob/master/general/security.md
>
> Most importantly, there are drawbacks to lockfile-only updates (they
> are too easily reverted or misunderstood, for example) and we prefer
> to batch our security updates together based on some human assessment
> of impact/urgency etc.
>
> So, this setting file should ensure that Dependabot only keeps at most
> one PR open at a time (the default is 10, I believe), and it runs
> weekly (the default, I believe). Additionally, given that we want
> these PRs only as a cue for a human to schedule a periodic manual
> audit, we turn off automatic rebasing to further reduce noise.
>
> Test plan: Sadly, I don't think I can test it, short of shipping it
> and then monitoring. At the moment we have 6 dependency update PRs
> open in this repo. I'll close them and replace them with a manual
> update ticket, and then we'll have to watch and see whether the PR
> count stays at 1 or below.
@wincent
Copy link
Contributor Author

wincent commented Sep 8, 2020

By the transitive property, approval for other identical PRs (like this one) also applies here 😁, so going to merge this.

@wincent wincent merged commit a8c7613 into master Sep 8, 2020
@wincent wincent deleted the wincent/dependabot branch September 8, 2020 08:18
@wincent wincent mentioned this pull request Sep 8, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
2.0.x chore
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@wincent