Hi, > I have a few questions that I'm interested in hearing feedback on: > * should we use Dependabot at all?
I personally don't think we should use Dependabot. Looking at the current PRs it made, the `time` one I'm 99% sure needs code changes and would introduce a duplicate. The `keyboard-types` one is probably wrong, would introduce a dupe in a crate used for sharing types across crates (would probably not compile). The `image` one would dupe png. The `cc` and `smallvec` ones break the build. The `winit` one doesn't build, would bring in more dupes. > * is our policy to ban duplicate versions by default still useful? Yes. Servo's dependency graph is huge already, let's not make it worse by having 3 versions of the same dependency for every dependency. > * what changes should we make to the policy to accommodate the use of > Dependabot? If it opened issues on semver breaking changes and maybe pinged people that like updating dependencies the it might be better. Some of those might even be good first issues like the time one if we can provide examples of similar bumps. Regards, Bastien _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
