Adding dependabot support #780
Conversation
|
shall we move all CI functions from travis to github to avoid the duplicated testing? |
Yes, I will create another PR for the work in progress on replacing travis with github actions. |
|
Both java and python dependencies are enabled now. Dependabot will check python daily and java monthly. It will create a PR for upgrade insecure or outdated dependencies in SINGA like this java PR and this python PR. notes:
|
|
let's consider this PR in the next version. |
Ok. Although we can at least enable the dependabot support and badge, even though we don't resolve the problems that dependabot report. Just like we enabled lgtm but we don't have to fix all its errors, and we enabled codecov but we don't have to test with 100% coverage.
We don't have to update immediately all the dependencies that dependabot found obsolete or insecure. At least we can have the results of the dependency analysis and the singa team can decide the work priorities. The PB team are working now on a release candidate for version 4 and planning to upgrade singa PB to at least version 3 can be useful.
We don't support machine readable requirements that can be found by Github tools. The instructions to installing singa dependencies with pip is only human readable in the web site documentation, or in the conda scripts. We need to extract these dependencies into something like requirements.txt so that Github (and other tools) can find them. |
Dependabot is a native tool in github that automatically checks the dependencies of the project and creates pull requests for outdated or insecure dependencies. See how it works from here.
Currently it will analyze only the dependencies defined in pom.xml in SINGA because other dependencies are hard coded in configuration or shell scripts which are not supported by this tool. In future commits, the dependencies will be moved to standard files such as python requirements.txt so that they become available to dependabot and similar tools.