I think it's quite great to have Dependabot for us to upgrade dependencies for security purposes.
I'm wondering if it's worth keeping it enabled but sometimes reject its PRs (e.g. having duplicated packages or the upgrade makes something broken which will require someone's effort to fix). I also wonder it might be good to enable it with no-checking for duplicated packages for a while to see if we can get benefits from it. If we get build performance worse, then let's get back the checking of duplicated packages? 🤔 On Thu, Apr 23, 2020 at 3:58 AM Josh Matthews <j...@joshmatthews.net> wrote: > Based on https://github.com/servo/servo/pull/26255 and > https://github.com/servo/servo/pull/26258 which are both crates.io > dependencies, it does seem like it relies on some metadata that is not > present in every dependency. > > On 2020-04-22 2:45 p.m., Simon Sapin wrote: > > On 22/04/2020 20:30, Josh Matthews wrote: > >> * it provides links to changelogs/release notes/included commits which > >> makes reviewing easier > > > > Does this also work for crates.io dependencies? (As opposed to git > > dependencies.) Does it rely on the upstream repository having git tags > > that happen to match the crates.io version numbers? > > > > _______________________________________________ > dev-servo mailing list > dev-servo@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-servo > _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
