Add yarn ecosystem to dependabot.yaml #42942
Conversation
avatus
added
the
no-changelog
avatus
requested review from
zmb3,
ryanclark,
codingllama,
rosstimothy,
kimlisa and
rudream
and removed request for
justinas and
timothyb89
.github/dependabot.yml
Outdated
| interval: monthly | ||
| day: "sunday" | ||
| time: "09:00" # 9am UTC | ||
| open-pull-requests-limit: 10 |
There was a problem hiding this comment.
You might want to bump this if you think we are getting a storm of deps. Same for others.
There was a problem hiding this comment.
I went back and forth between "we're getting a lot so open the flood gates" and "we're getting a lot so let's try to limit it". I'm happy either way. Let's see if anyone has anything else to say
There was a problem hiding this comment.
If you anticipate a lot of updates out of the gate it might be worth trying to manually update them first. Botty can get a little confused and conflicted if it has lots of updates to process.
There was a problem hiding this comment.
I just merged in a bunch of patch updates. I'm going to try and update the minor updates before this goes in. I'll also bump this to 20. We typically don't have too many deps for each of the repos, but combined it might add up. (i wish we could group it together)
public-teleport-github-review-bot
bot
removed request for
zmb3,
ryanclark,
kimlisa and
rudream
|
Once this is in, I'll do the same for |
This PR should enable dependabot to check our web UI ecosystem. We use yarn workspaces so (I believe) we have to target each individual package.json in order for it to be updated. As far as I'm aware, I haven't found a way to [validate a dependabot.yaml file before letting it run](dependabot/dependabot-core#4605) so this may need to be iterated on. I've tried to split up the responsibility for each package around the web team (connect team takes /teleterm, ryan helps with /build). Change ecosystem name to npm According to the docs, although yarn is a valid ecosystem, the job is now asking for npm. I'm not sure if this will use yarn to update the yarn.lock or not
This PR should enable dependabot to check our web UI ecosystem. We use yarn workspaces so (I believe) we have to target each individual package.json in order for it to be updated. As far as I'm aware, I haven't found a way to validate a dependabot.yaml file before letting it run so this may need to be iterated on (validate in the sense of, "hey this is going to work as we expect", not syntactically).
I've tried to split up the responsibility for each package around the web team (connect team takes /teleterm, ryan helps with /build).
I suspect we will get quite a bit of noise at the start since most of our deps are out of date (some more than others) but after the initial push, it should be minimal as time goes on.