Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add dependabot for this project for minor and patch updates for nuget packages and github actions #792

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

@Romfos
Copy link
Contributor

Romfos commented May 2, 2024

Teams members of NSubstitute are very conservative about update dependencies...

I have 2 questions:

  1. Do we want to have dependabot with update proposals? cc @nsubstitute team
  2. Do we want to have this gigantic config or better to use something simple like:
version: 2
updates:
  - package-ecosystem: "nuget"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 5

?

Thank you

@dtchepak
Copy link
Member

dtchepak commented May 5, 2024

Thanks for this!

1. Do we want to have dependabot with update proposals? cc @nsubstitute team

What are the possible impacts to users here? Not sure if any of these are legitimate concerns these days, but previously we've had cases like:

  • a package version drops support for a platform or adds a new dependency that means users on older platforms have issues using the version
  • Unity requiring specific versions of libs

The other consideration is what we're gaining by updating these dependencies. I think the motivations are a bit different between test-only code and production code. If a project using NSub wants a different dep version they can specify this, but iirc there isn't an easy way to force a previous version if it is required for some reason.

Again, not sure if any of these are legitmate concerns, but thought it would be worth clarifying.

2. Do we want to have this gigantic config or better to use something simple like: ...

I much prefer the simpler version! ❤️

@wmundev
Copy link
Author

wmundev commented May 7, 2024

if i could help out in this discussion, if you are worried around certain packages needing to be pinned to a specific version, you can do the following, e.g. what i have done in my project is as follows

      other_minor_patch_updates:
        exclude-patterns:
        - "@fastify*"
        - "fastify"
        - "@sentry*"
        update-types:
        - "minor"
        - "patch"

this excludes any npm packages starting with @fastify or called fastify or starting with @sentry

dependabot will then exclude it from any pr opened by it in that group you specify

also another potential issue with removing "groups" in the config is that dependabot will open a PR For each package, which means your repository will potentially get spammed with a lot of PRs

@dtchepak
Copy link
Member

dtchepak commented May 8, 2024

if you are worried around certain packages needing to be pinned to a specific version,

I'm less worried about packages NSub uses, and more about requirements that projects that use NSubstitute require. (example)

I'm probably being overly conservative with this. 🤔

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants