Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create dependabot.yml #2848

Merged
merged 1 commit into from
Oct 3, 2023
Merged

Create dependabot.yml #2848

merged 1 commit into from
Oct 3, 2023

Conversation

juherr
Copy link
Contributor

@juherr juherr commented Sep 11, 2023

No description provided.

@juherr
Copy link
Contributor Author

juherr commented Sep 20, 2023

Hi @kylekatarnls
Any chance to have a review or feedback?

@kylekatarnls
Copy link
Collaborator

kylekatarnls commented Sep 20, 2023

Hello, sorry I didn't had time to check dependabot behavior, I would like to see what it would suggest as an example before I actually integrate it, what is the possible fine tunning. I would not add it if it's to get suggestions that don't make sense for our library.

I would add new tools only if it has a benefit for the users. As a library, we try to keep our compatibility range wide as long as it's backward-compatible, which is already what happens using ^x.y.z semver, dropping dependencies (major) versions happen only on major version bump of Carbon and then what version to drop or not is based on current support of those libraries, user needs, so it somehow has to be done manually. Same for supporting new major versions of the dependencies, we have very few and when we add support for a new version, it need testing and most of the time to adapt some code, not just to bump the number in composer.json. This also need human attention and manual care.

So I'm not sure relying on automation would help.

@juherr
Copy link
Contributor Author

juherr commented Sep 20, 2023

Dependabot is just a friend who notify you that one of your dependencies has released a new version and help you to update without effort.

Here, it checks both composer dependencies and github actions.

In case you need more options https://github.com/renovatebot/renovate can be a good alternative.

In fact it is more a tool for the contributors than the end users. 😉

Feel free to close the pr if you don't plan to use dependabot.

@kylekatarnls kylekatarnls added this to the 2.72.0 milestone Oct 3, 2023
@kylekatarnls kylekatarnls merged commit dc9e613 into briannesbitt:master Oct 3, 2023
53 checks passed
@juherr juherr deleted the patch-1 branch October 3, 2023 12:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants