Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add dependabot for this project for minor and patch updates for nuget packages and github actions #792

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add dependabot for this project for minor and patch updates for nuget packages and github actions #792

wants to merge 1 commit into from

Conversation

wmundev
Copy link

@wmundev wmundev commented Apr 20, 2024

@Romfos
Copy link
Contributor

Romfos commented May 2, 2024
edited
Loading

Teams members of NSubstitute are very conservative about update dependencies...

I have 2 questions:

  1. Do we want to have dependabot with update proposals? cc @nsubstitute team
  2. Do we want to have this gigantic config or better to use something simple like:
version: 2
updates:
  - package-ecosystem: "nuget"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 5

?

Thank you

@dtchepak
Copy link
Member

dtchepak commented May 5, 2024

Thanks for this!

1. Do we want to have dependabot with update proposals? cc @nsubstitute team

What are the possible impacts to users here? Not sure if any of these are legitimate concerns these days, but previously we've had cases like:

  • a package version drops support for a platform or adds a new dependency that means users on older platforms have issues using the version
  • Unity requiring specific versions of libs

The other consideration is what we're gaining by updating these dependencies. I think the motivations are a bit different between test-only code and production code. If a project using NSub wants a different dep version they can specify this, but iirc there isn't an easy way to force a previous version if it is required for some reason.

Again, not sure if any of these are legitmate concerns, but thought it would be worth clarifying.

2. Do we want to have this gigantic config or better to use something simple like: ...

I much prefer the simpler version! ❤️

@wmundev
Copy link
Author

wmundev commented May 7, 2024

if i could help out in this discussion, if you are worried around certain packages needing to be pinned to a specific version, you can do the following, e.g. what i have done in my project is as follows

      other_minor_patch_updates:
        exclude-patterns:
        - "@fastify*"
        - "fastify"
        - "@sentry*"
        update-types:
        - "minor"
        - "patch"

this excludes any npm packages starting with @fastify or called fastify or starting with @sentry

dependabot will then exclude it from any pr opened by it in that group you specify

also another potential issue with removing "groups" in the config is that dependabot will open a PR For each package, which means your repository will potentially get spammed with a lot of PRs

@dtchepak
Copy link
Member

dtchepak commented May 8, 2024
edited
Loading

if you are worried around certain packages needing to be pinned to a specific version,

I'm less worried about packages NSub uses, and more about requirements that projects that use NSubstitute require. (example)

I'm probably being overly conservative with this. 🤔

@Romfos
Copy link
Contributor

Romfos commented Nov 28, 2024

if you are worried around certain packages needing to be pinned to a specific version,

I'm less worried about packages NSub uses, and more about requirements that projects that use NSubstitute require. (example)

I'm probably being overly conservative with this. 🤔

Okay, what is the final decision? For now we don't want to have dependabot, right?

@dtchepak
Copy link
Member

Okay, what is the final decision? For now we don't want to have dependabot, right?

@Romfos I'm happy to go with whatever you recommend here. We don't need to accept dependabot PRs so shouldn't be an issue if you want to try it out.

@Romfos
Copy link
Contributor

Romfos commented Dec 8, 2024

@dtchepak according to you comment here: #831 (comment)

If I right understand your comment. We want to stay on older dependencies for package project

We can enable it for non-package projects like unit tests

version: 2
updates:
  - package-ecosystem: "nuget"
    directories: 
      - "/tests/NSubstitute.Acceptance.Specs"	
      - "/tests/NSubstitute.Benchmarks"
      - "/build"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wmundev @Romfos @dtchepak