-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add dependabot #113
base: master
Are you sure you want to change the base?
Add dependabot #113
Conversation
Signed-off-by: Luca Comellini <[email protected]>
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: lucacome The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Welcome @lucacome! |
Why is that? It doesn't seem very safe to have outdated dependencies. I've also added dependabot to a few kubernetes repos already... |
Not having automated dependency bump PRs isn’t the same as having outdated dependencies. Others in k8s-code-organization have more experience of this than me, but I see several concerns with automated bump PRs (in Kubernetes):
I also think library-type projects have different requirements in terms of dependencies compared to directly-consumable projects. It makes sense to me for library-type projects to be conservative in their dependencies, to avoid forcing their users to upgrade other parts of the dependency tree quicker than strictly necessary; whereas end-user-facing projects (projects that build binaries or container images for direct consumption) might want to stay closer to the latest available releases of their dependencies. Keeping older library dependencies might seem dangerous, but there have been several cases in k/k where a dependency introduced bugs which didn’t affect “smaller” repositories in the Kubernetes project but affected k/k — so bumping them in the library project meant that k/k itself couldn’t bump the library dependency, even though the dependency bump in the library was artificial (not mandated by the library requiring new features in the dependency). In this particular project, there are only two dependencies, both only used for test code. |
Adds dependabot to keep all the dependencies up to date.