[dev-servo] Should we use Dependabot?
Hello all! You may have noticed some new pull requests from Dependabot [1], which is a service to create automated pull requests to update dependencies. There are several things I like about this service: * it provides links to changelogs/release notes/included commits which makes reviewing easier * it automatically rebases its PRs if merge conflicts appear * it supports quite a bit of customization [2] * it removes the need for a member of the team to regularly check for new releases that fix security vulnerabilities One concern that has been raised [3] is the tension between updating packages and minimizing the set of duplicated packages. If Dependabot is used in the default setting of updating every dependency to the latest version as often as possible, we will likely introduce duplicate crates more frequently than we currently do. Our existing test-tidy check for duplicates makes this mode less useful for us, because it requires modifying the relevant Dependabot PRs to update the list of allowed duplicates when they are added. Dependabot does support operating modes where certain packages are exempt from automatic updates, or only making PRs for semver-minor updates and ignoring major version changes. These modes might reduce how often we need to update the list of duplicates, but it's still possible for minor version changes to introduce new duplicates. I have a few questions that I'm interested in hearing feedback on: * should we use Dependabot at all? * is our policy to ban duplicate versions by default still useful? * what changes should we make to the policy to accommodate the use of Dependabot? Cheers, Josh ps. Before forming an opinion on the utility of Dependabot, please take a look at the collapsed-by-default "Dependabot commands and options" [4] [1] https://dependabot.com/, https://github.com/servo/servo/pull/26256 [2] https://dependabot.com/docs/config-file/ [3] https://github.com/servo/servo/issues/26262 [4] https://github.com/servo/servo/pull/26256#issue-407135420 ___ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
Re: [dev-servo] Should we use Dependabot?
On 22/04/2020 20:30, Josh Matthews wrote: * it provides links to changelogs/release notes/included commits which makes reviewing easier Does this also work for crates.io dependencies? (As opposed to git dependencies.) Does it rely on the upstream repository having git tags that happen to match the crates.io version numbers? -- Simon Sapin ___ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
Re: [dev-servo] Should we use Dependabot?
Based on https://github.com/servo/servo/pull/26255 and https://github.com/servo/servo/pull/26258 which are both crates.io dependencies, it does seem like it relies on some metadata that is not present in every dependency. On 2020-04-22 2:45 p.m., Simon Sapin wrote: On 22/04/2020 20:30, Josh Matthews wrote: * it provides links to changelogs/release notes/included commits which makes reviewing easier Does this also work for crates.io dependencies? (As opposed to git dependencies.) Does it rely on the upstream repository having git tags that happen to match the crates.io version numbers? ___ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
Re: [dev-servo] Should we use Dependabot?
I think it's quite great to have Dependabot for us to upgrade dependencies for security purposes. I'm wondering if it's worth keeping it enabled but sometimes reject its PRs (e.g. having duplicated packages or the upgrade makes something broken which will require someone's effort to fix). I also wonder it might be good to enable it with no-checking for duplicated packages for a while to see if we can get benefits from it. If we get build performance worse, then let's get back the checking of duplicated packages? 🤔 On Thu, Apr 23, 2020 at 3:58 AM Josh Matthews wrote: > Based on https://github.com/servo/servo/pull/26255 and > https://github.com/servo/servo/pull/26258 which are both crates.io > dependencies, it does seem like it relies on some metadata that is not > present in every dependency. > > On 2020-04-22 2:45 p.m., Simon Sapin wrote: > > On 22/04/2020 20:30, Josh Matthews wrote: > >> * it provides links to changelogs/release notes/included commits which > >> makes reviewing easier > > > > Does this also work for crates.io dependencies? (As opposed to git > > dependencies.) Does it rely on the upstream repository having git tags > > that happen to match the crates.io version numbers? > > > > ___ > dev-servo mailing list > dev-servo@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-servo > ___ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
