chore: check for package updates using dependabot monthly #329
Conversation
Signed-off-by: John Losito <[email protected]>
|
Naive question - how does this differ from having Dependabot turned on and opening PRs like #325 ? |
|
One that is currently being used is just around security issues. The one I am proposing is regardless whether there is a security issue or not. |
|
Got it. This is a constant keep it fresh script. Sounds good; but I'm unsure if there are enough eyeballs looking at merging things in [i'm very much an absent inherited-this maintainer, with one of my dayjob colleagues often helping out]. I've been leaning more to archiving the repository, perhaps switching to something simpler/newer for my dayjob needs. |
|
I can very much relate. It's probably not in your best interest to approve this change then. It can be very noisy. I created an issue with dependabot several months ago to provide cron expressions so that users can configure quarterly, semiannual, annual, etc. No traction on the update upstream though. |
|
Thanks for your understanding. I've kicked off a thread on the TodoGroup Slack's repolinter channel to see what interest there is there in the project. |
Motivation
I use repolinter in my devDependencies in order to check my repository. I've gotten a couple of security notifications from GitHub due to third-party libraries linked to repolinter. This change should help trying to keep dependencies up-to-date.
Proposed Changes
This will use dependabot to check for package udpates on a monthly basis. If there are any updates, dependabot will submit a pull request with a version bump.
Test Plan
There should be several pull requests made from dependabot.