Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review of dependabot PRs #32

Open
bo-lu opened this issue Feb 22, 2023 · 2 comments
Open

Review of dependabot PRs #32

bo-lu opened this issue Feb 22, 2023 · 2 comments
Assignees
@johnweng001

Comments

@bo-lu
Copy link
Member

bo-lu commented Feb 22, 2023

Not a major priority, but if you have downtime... PRs between 12 and 23 can be reviewed
@johnweng001
Copy link
Contributor

@bo-lu
Two things:

  1. All PRs by dependabot are not changing the manifest file (package.json). I think we should include new version changes in package.json, and this can be done by adding
    versioning-strategy: increase in the dependabot.yml ( see also https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy)
  2. All PRs are against master branch. I think we should do it in dev branch. (we can move .github along with dependabot.yml into dev)

@johnweng001
Copy link
Contributor

@bo-lu
This is my strategy:
will go through each lib version upgrade manually and smoke testing the app.
will also check the dependency tree of related lib, identify any direct reference in the app-level code and look/test closer if any.
If not causing any issue observed, will create a PR to dev for each upgrade.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johnweng001 johnweng001

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bo-lu @johnweng001