Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

env/deps: remove greenkeeper.json, configure dependabot.yml #846

Merged
merged 1 commit into from
Aug 31, 2020
Merged

env/deps: remove greenkeeper.json, configure dependabot.yml #846

merged 1 commit into from
Aug 31, 2020

Conversation

agilgur5
Copy link
Collaborator

Description

  • Greenkeeper has shut down, Snyk has been incredibly annoying and can't
    be configured in the codebase (installed by Jared and could only be
    configured by Jared), so use native Dependabot now

    • GitHub acquired Dependabot a little over a year ago and it is what
      powers GitHub vulnerability updates

  • set-up sensible defaults with YAML anchor/alias

    • to only make PRs weekly, not spam daily
    • to only make PRs for deps, not devDeps
    • to only increase version when necessary, not for every patch and
      minor bump when a dep isn't pinned anyway
    • to use "deps:" prefix similarly to what I use

  • set-up Dependabot to ignore /website entirely, for dep upgrades and
    vulnerabilities, as it is not a published package and doesn't really
    have an attack surface area

    • should only be updated as needed, not whenever a dep is upgraded

  • temporarily ignore "/" as well because it's currently being updated so
    don't want duplication spam

    • but leave security PRs on, only dep upgrades off

Tags

Fixes #839
Follow-up to #815 which didn't work and Snyk's removal.

Closing a few PRs as unnecessary since they update the /website dir, which isn't a published library and doesn't really have an attack surface:

@agilgur5
env/deps: remove greenkeeper.json, configure dependabot.yml
924bfc7 
- Greenkeeper has shut down, Snyk has been incredibly annoying and can't
  be configured in the codebase (installed by Jared and could only be
  configured by Jared), so use native Dependabot now
  - GitHub acquired Dependabot a little over a year ago and it is what
    powers GitHub vulnerability updates

- set-up sensible defaults with YAML anchor/alias
  - to only make PRs weekly, not spam daily
  - to only make PRs for deps, not devDeps
  - to only increase version when necessary, not for every patch and
    minor bump when a dep isn't pinned anyway
  - to use "deps:" prefix similarly to what I use

- set-up Dependabot to ignore /website entirely, for dep upgrades and
  vulnerabilities, as it is not a published package and doesn't really
  have an attack surface area
  - should only be updated as needed, not whenever a dep is upgraded

- temporarily ignore "/" as well because it's currently being updated so
  don't want duplication spam
  - but leave security PRs on, only dep upgrades off
@agilgur5 agilgur5 added the scope: dependencies Pull requests that update a dependency file label Aug 31, 2020
@vercel

This comment has been minimized.

Sign in to view
@agilgur5
Copy link
Collaborator Author

Test failure is a timeout that's been happening occasionally on macOS runs on GitHub (not limited to this repo), overriding and merging

agilgur5
agilgur5 commented Aug 31, 2020
View reviewed changes
Copy link
Collaborator Author

@agilgur5 agilgur5 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Seems ok. Let's see how it guess since you can't really test it until its in the repo

@agilgur5 agilgur5 merged commit 45aea66 into jaredpalmer:master Aug 31, 2020
This was referenced Aug 31, 2020
Closed
Closed
Merged
Closed
@agilgur5 agilgur5 mentioned this pull request Oct 7, 2020
Merged
paul-vd pushed a commit to EezyQuote/tsdx that referenced this pull request Dec 1, 2020
@agilgur5 @paul-vd
env/deps: remove greenkeeper.json, configure dependabot.yml (jaredpal…
5954133 
…mer#846)

- Greenkeeper has shut down, Snyk has been incredibly annoying and can't
  be configured in the codebase (installed by Jared and could only be
  configured by Jared), so use native Dependabot now
  - GitHub acquired Dependabot a little over a year ago and it is what
    powers GitHub vulnerability updates

- set-up sensible defaults with YAML anchor/alias
  - to only make PRs weekly, not spam daily
  - to only make PRs for deps, not devDeps
  - to only increase version when necessary, not for every patch and
    minor bump when a dep isn't pinned anyway
  - to use "deps:" prefix similarly to what I use

- set-up Dependabot to ignore /website entirely, for dep upgrades and
  vulnerabilities, as it is not a published package and doesn't really
  have an attack surface area
  - should only be updated as needed, not whenever a dep is upgraded

- temporarily ignore "/" as well because it's currently being updated so
  don't want duplication spam
  - but leave security PRs on, only dep upgrades off
@agilgur5 agilgur5 mentioned this pull request Dec 18, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
scope: dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Setup dependabot.yml
1 participant
@agilgur5