Dependabot

[Norman Breau <no...@nbsolutions.ca>]

Hi Team,

Just curious on other thoughts on Dependabot now that Apache enabled 
them across the repos. Do we review and merge them as is? Should we 
build PRs like https://github.com/apache/cordova-js/pull/255 to 
regenerate package-lock which will result in dependent bot to close 
their PRs. Case-by-case basis?

Personally I think I favour the manual PR approach as it will squash 
several dependent PRs into one, and dependabot is smart enough to notice 
when their PR is out-dated.

Cheers,
Norman



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org

Re: Dependabot

[Bryan Ellis <er...@apache.org>]

I think the version difference is not the main point and was a bad example. I had bumped the version within minutes before that PR.

I don’t mind if Dependabot's service is on, but usually, I will rebuild the file myself and skip the Dependabot PRs. 

I find their PRs submission a little annoying. The service seems to submit a couple of PRs, and then after mering in one, more (5-10) are created within seconds.

I didn't want to deal with a chain of PRs and find it easier to submit a single PR that bumped everything.

As far as I remember, their PRs only affect the package-lock.json file, which is a developer-only file. It is not released within the final package to end-users.

Keeping the service enabled could still be nice-to-have as the PRs provide notices of updates. The PR also usualy contain the change logs of the dependency.

As for accepting and merging the Dependabot PRs or creating our own, I don't believe is something we need to worry too much about. I think however any individual who wants to handle it is acceptable. And could be handled case-by-case. If someone wants to sit there and go through the chain of PRs that it submits, until their stop submitting PRs, that is fine too.


> On Jun 8, 2022, at 02:14, julio cesar sanchez <jc...@gmail.com> wrote:
> 
> In this case the package-lock was out of sync with the package.json (it had
> v6.x.x while package.json had 7.x.x), so if we have more packages with the
> same problem we should fix them.
> 
> But if the package-lock is ok, then I think we can just merge the
> dependabot PRs, what’s the advantage of having it if we still send PRs
> manually to do the same?
> 
> 
> El martes, 7 de junio de 2022, Norman Breau <no...@nbsolutions.ca>
> escribió:
> 
>> 
>> Hi Team,
>> 
>> Just curious on other thoughts on Dependabot now that Apache enabled them
>> across the repos. Do we review and merge them as is? Should we build PRs
>> like https://github.com/apache/cordova-js/pull/255 to regenerate
>> package-lock which will result in dependent bot to close their PRs.
>> Case-by-case basis?
>> 
>> Personally I think I favour the manual PR approach as it will squash
>> several dependent PRs into one, and dependabot is smart enough to notice
>> when their PR is out-dated.
>> 
>> Cheers,
>> Norman
>> 
>> 
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
>> For additional commands, e-mail: dev-help@cordova.apache.org
>> 
>> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
For additional commands, e-mail: dev-help@cordova.apache.org

Re: Dependabot

[julio cesar sanchez <jc...@gmail.com>]

In this case the package-lock was out of sync with the package.json (it had
v6.x.x while package.json had 7.x.x), so if we have more packages with the
same problem we should fix them.

But if the package-lock is ok, then I think we can just merge the
dependabot PRs, what’s the advantage of having it if we still send PRs
manually to do the same?


El martes, 7 de junio de 2022, Norman Breau <no...@nbsolutions.ca>
escribió:

>
> Hi Team,
>
> Just curious on other thoughts on Dependabot now that Apache enabled them
> across the repos. Do we review and merge them as is? Should we build PRs
> like https://github.com/apache/cordova-js/pull/255 to regenerate
> package-lock which will result in dependent bot to close their PRs.
> Case-by-case basis?
>
> Personally I think I favour the manual PR approach as it will squash
> several dependent PRs into one, and dependabot is smart enough to notice
> when their PR is out-dated.
>
> Cheers,
> Norman
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@cordova.apache.org
> For additional commands, e-mail: dev-help@cordova.apache.org
>
>