-
-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dependabot for Elixir deps for all tooling #229
Comments
depends what update means -- patch versions? sure. Minor/major versions? no, I think that should be done by a human |
I don't have much experience with long term maintenance of dependencies, but in principle I don't have an issue with asking dependabot to update things. If all tests pass, that should be fine, we can always fix broken things later. We can also treat dependabot as a notifier of new versions and not feel pressured to update... |
In general, if you intend to maintain a project long term, I would say some sort of automated dependency update is necessary. The reason is that if you do maintain a project, at some point you will need to do a change to the project that requires a new external dependency or a new feature from the current one. If you didn't do regular dep updates, now you have to do all of them at once. This increases the risk and time sink of that one change. I think our tools will be maintained long term, and we need fresh dependencies because we will do Elixir lang updates in all of them regularly. If you have a good test coverage, automated dep updates should be safe. If you don't, you need to test each one manually. Here is where I am not so sure about our situation 🤔 The situation also hugely varies between Elixir deps and JS deps. Thankfully Elixir world is much more sane, and the version level changes actually mean something. In JS world, there are plenty of deps where major version updates aren't actually that, and plenty of patch version updates break your whole project 🤦 I think my vote would be to add automated updates to our projects for patch and minor updates, but not for major updates. But also there's so few of them, that I can also see this whole thing not being worth it. |
How do we evaluate test coverage? |
In the past I have used https://coveralls.io/ + https://github.com/parroty/excoveralls, apparently you can also pass a
|
Should we configure all tooling repos to automatically update Elixir deps with dependabot?
The text was updated successfully, but these errors were encountered: