Skip to content

chore: use dependabot for npm/action version mgmt #361

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Nerivec wants to merge 1 commit into from
Closed

chore: use dependabot for npm/action version mgmt #361

Nerivec wants to merge 1 commit into from

Conversation

@Nerivec
Copy link
Contributor

@Nerivec Nerivec commented Aug 11, 2025
edited
Loading

PR Checklist

Please check if your PR fulfills the following requirements:

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been added / updated (for bug fixes / features)

PR Type

What kind of change does this PR introduce?

[ ] Bugfix
[ ] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[ ] Build related changes
[x] CI related changes
[ ] Documentation content changes
[ ] Other... Please describe:

What is the current behavior?

Issue Number: N/A

What is the new behavior?

Keep dependencies up to date using dependabot.

npm

  • weekly updates, PR named fix: ...
  • always increase versions in package.json
  • group minor & patch updates as one PR for dev deps, and one PR for reg deps.
  • major updates as one per PR

GH actions

  • weekly updates, PR named chore: ...

Here's an example from a repo using this exact config: https://github.com/Nerivec/zigbee2mqtt-windfront/commits/main/?author=dependabot%5Bbot%5D

Does this PR introduce a breaking change?

[ ] Yes
[ ] No

Other information

I also suggest the project be moved to @biomejs/biome. It removes plenty of dev deps, and is far faster than eslint/prettier.

@netlify
Copy link

netlify bot commented Aug 11, 2025
edited
Loading

Deploy Preview for reagraph ready!

Name Link
🔨 Latest commit f3c989e
🔍 Latest deploy log https://app.netlify.com/projects/reagraph/deploys/689a086d4f3437000824bad9
😎 Deploy Preview https://deploy-preview-361--reagraph.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@amcdnl
Copy link
Member

amcdnl commented Oct 7, 2025

As much as I would like to automate this, I don't think its feasible at the moment. ThreeJS and R3F have a complicated depedency relationship that is going to result in just a lot of noise and broken things that we don't have time to run down every week. I do appreciate your contribution

@amcdnl amcdnl closed this Oct 7, 2025
@Nerivec
Copy link
Contributor Author

Nerivec commented Oct 7, 2025

I agree. These could be put as exceptions, so the rest of the packages remain up to date automatically, and three-related are maintained manually. cf https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates#overriding-the-default-behavior-with-a-configuration-file
The schedule can also be adjusted to something that fits your schedule.

It would avoid the need for big PRs like #351 that are far more likely to introduce problems due to the number of updates "at once".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Nerivec @amcdnl