[dev-servo] Should we use Dependabot?

Wed, 22 Apr 2020 11:31:25 -0700

Hello all! You may have noticed some new pull requests from Dependabot [1], which is a service to create automated pull requests to update dependencies. 

There are several things I like about this service:
* it provides links to changelogs/release notes/included commits which makes reviewing easier 
* it automatically rebases its PRs if merge conflicts appear
* it supports quite a bit of customization [2]
* it removes the need for a member of the team to regularly check for new releases that fix security vulnerabilities 


One concern that has been raised [3] is the tension between updating 
packages and minimizing the set of duplicated packages. If Dependabot is 
used in the default setting of updating every dependency to the latest 
version as often as possible, we will likely introduce duplicate crates 
more frequently than we currently do. Our existing test-tidy check for 
duplicates makes this mode less useful for us, because it requires 
modifying the relevant Dependabot PRs to update the list of allowed 
duplicates when they are added.



Dependabot does support operating modes where certain packages are 
exempt from automatic updates, or only making PRs for semver-minor 
updates and ignoring major version changes. These modes might reduce how 
often we need to update the list of duplicates, but it's still possible 
for minor version changes to introduce new duplicates.


I have a few questions that I'm interested in hearing feedback on:
* should we use Dependabot at all?
* is our policy to ban duplicate versions by default still useful?

* what changes should we make to the policy to accommodate the use of 
Dependabot?


Cheers,
Josh


ps. Before forming an opinion on the utility of Dependabot, please take 
a look at the collapsed-by-default "Dependabot commands and options" [4]


[1] https://dependabot.com/, https://github.com/servo/servo/pull/26256
[2] https://dependabot.com/docs/config-file/
[3] https://github.com/servo/servo/issues/26262
[4] https://github.com/servo/servo/pull/26256#issue-407135420
_______________________________________________
dev-servo mailing list
dev-servo@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-servo






















					Reply via email to