Skip to content

env/deps: remove greenkeeper.json, configure dependabot.yml#846

Merged
agilgur5 merged 1 commit intojaredpalmer:masterfrom
agilgur5:dependabot-config
Aug 31, 2020
Merged

env/deps: remove greenkeeper.json, configure dependabot.yml#846
agilgur5 merged 1 commit intojaredpalmer:masterfrom
agilgur5:dependabot-config

Conversation

@agilgur5
Copy link
Copy Markdown
Collaborator

@agilgur5 agilgur5 commented Aug 31, 2020

Description

  • Greenkeeper has shut down, Snyk has been incredibly annoying and can't
    be configured in the codebase (installed by Jared and could only be
    configured by Jared), so use native Dependabot now

    • GitHub acquired Dependabot a little over a year ago and it is what
      powers GitHub vulnerability updates

  • set-up sensible defaults with YAML anchor/alias

    • to only make PRs weekly, not spam daily
    • to only make PRs for deps, not devDeps
    • to only increase version when necessary, not for every patch and
      minor bump when a dep isn't pinned anyway
    • to use "deps:" prefix similarly to what I use

  • set-up Dependabot to ignore /website entirely, for dep upgrades and
    vulnerabilities, as it is not a published package and doesn't really
    have an attack surface area

    • should only be updated as needed, not whenever a dep is upgraded

  • temporarily ignore "/" as well because it's currently being updated so
    don't want duplication spam

    • but leave security PRs on, only dep upgrades off

Tags

Fixes #839
Follow-up to #815 which didn't work and Snyk's removal.

Closing a few PRs as unnecessary since they update the /website dir, which isn't a published library and doesn't really have an attack surface:

@agilgur5
env/deps: remove greenkeeper.json, configure dependabot.yml
924bfc7 
- Greenkeeper has shut down, Snyk has been incredibly annoying and can't
  be configured in the codebase (installed by Jared and could only be
  configured by Jared), so use native Dependabot now
  - GitHub acquired Dependabot a little over a year ago and it is what
    powers GitHub vulnerability updates

- set-up sensible defaults with YAML anchor/alias
  - to only make PRs weekly, not spam daily
  - to only make PRs for deps, not devDeps
  - to only increase version when necessary, not for every patch and
    minor bump when a dep isn't pinned anyway
  - to use "deps:" prefix similarly to what I use

- set-up Dependabot to ignore /website entirely, for dep upgrades and
  vulnerabilities, as it is not a published package and doesn't really
  have an attack surface area
  - should only be updated as needed, not whenever a dep is upgraded

- temporarily ignore "/" as well because it's currently being updated so
  don't want duplication spam
  - but leave security PRs on, only dep upgrades off
@agilgur5 agilgur5 added the scope: dependencies Pull requests that update a dependency file label Aug 31, 2020
@vercel

This comment has been minimized.

Sign in to view
@agilgur5
Copy link
Copy Markdown
Collaborator Author

agilgur5 commented Aug 31, 2020

Test failure is a timeout that's been happening occasionally on macOS runs on GitHub (not limited to this repo), overriding and merging

agilgur5
agilgur5 commented Aug 31, 2020
View reviewed changes
Copy link
Copy Markdown
Collaborator Author

@agilgur5 agilgur5 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Seems ok. Let's see how it guess since you can't really test it until its in the repo

@agilgur5 agilgur5 merged commit 45aea66 into jaredpalmer:master Aug 31, 2020
This was referenced Aug 31, 2020
Closed
Closed
Merged
Closed
@agilgur5 agilgur5 mentioned this pull request Oct 7, 2020
Merged
paul-vd pushed a commit to EezyQuote/tsdx that referenced this pull request Dec 1, 2020
@agilgur5 @paul-vd
env/deps: remove greenkeeper.json, configure dependabot.yml (jaredpal…
5954133 
…mer#846)

- Greenkeeper has shut down, Snyk has been incredibly annoying and can't
  be configured in the codebase (installed by Jared and could only be
  configured by Jared), so use native Dependabot now
  - GitHub acquired Dependabot a little over a year ago and it is what
    powers GitHub vulnerability updates

- set-up sensible defaults with YAML anchor/alias
  - to only make PRs weekly, not spam daily
  - to only make PRs for deps, not devDeps
  - to only increase version when necessary, not for every patch and
    minor bump when a dep isn't pinned anyway
  - to use "deps:" prefix similarly to what I use

- set-up Dependabot to ignore /website entirely, for dep upgrades and
  vulnerabilities, as it is not a published package and doesn't really
  have an attack surface area
  - should only be updated as needed, not whenever a dep is upgraded

- temporarily ignore "/" as well because it's currently being updated so
  don't want duplication spam
  - but leave security PRs on, only dep upgrades off
@agilgur5 agilgur5 mentioned this pull request Dec 18, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

scope: dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Setup dependabot.yml

1 participant

@agilgur5