-
Notifications
You must be signed in to change notification settings - Fork 266
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add dependabot for this project for minor and patch updates for nuget packages and github actions #792
base: main
Are you sure you want to change the base?
Conversation
… nuget packages and github actions
Teams members of NSubstitute are very conservative about update dependencies... I have 2 questions:
? Thank you |
Thanks for this!
What are the possible impacts to users here? Not sure if any of these are legitimate concerns these days, but previously we've had cases like:
The other consideration is what we're gaining by updating these dependencies. I think the motivations are a bit different between test-only code and production code. If a project using NSub wants a different dep version they can specify this, but iirc there isn't an easy way to force a previous version if it is required for some reason. Again, not sure if any of these are legitmate concerns, but thought it would be worth clarifying.
I much prefer the simpler version! ❤️ |
if i could help out in this discussion, if you are worried around certain packages needing to be pinned to a specific version, you can do the following, e.g. what i have done in my project is as follows
this excludes any npm packages starting with dependabot will then exclude it from any pr opened by it in that group you specify also another potential issue with removing "groups" in the config is that dependabot will open a PR For each package, which means your repository will potentially get spammed with a lot of PRs |
I'm less worried about packages NSub uses, and more about requirements that projects that use NSubstitute require. (example) I'm probably being overly conservative with this. 🤔 |
Okay, what is the final decision? For now we don't want to have dependabot, right? |
@Romfos I'm happy to go with whatever you recommend here. We don't need to accept dependabot PRs so shouldn't be an issue if you want to try it out. |
@dtchepak according to you comment here: #831 (comment) If I right understand your comment. We want to stay on older dependencies for package project We can enable it for non-package projects like unit tests version: 2
updates:
- package-ecosystem: "nuget"
directories:
- "/tests/NSubstitute.Acceptance.Specs"
- "/tests/NSubstitute.Benchmarks"
- "/build"
schedule:
interval: "daily"
open-pull-requests-limit: 5 |
Changes
See examples PR on what will be raised in this repository
hope that helps!