fitzgen (he/him) (Dec 16 2019 at 18:29): fitzgen (he/him) (Dec 16 2019 at 18:29):(moving discussion from slack to accessible space)
@Benjamin Bouvier:
i was wondering if dependabot had been disabled? (maybe during the move to the bytecode alliance?)
I am not sure if I was the one who set up dependabot in the first place. I don't think I have admin rights for the repo, maybe it was @Till Schneidereit? In any case, I can definitely believe that the org move broke it. FWIW, I do think it is worth setting up again.
We talked last week a bit about which settings to use for it, and I think we came to the conclusion that we should only auto-merge for sec updates (although this was in the context of wasmtime rather than cranelift specifically) to balance keeping deps up-to-date vs supply chain attacks. We would manually review the other dep updates, IIRC. Not sure if we want this same policy for cranelift or not.
Till Schneidereit (Dec 16 2019 at 23:34):The discussion about switching to security fixes only is the only conversation I remember about this. I do vaguely remember @Dan Gohman saying something about dependabot updates having changed, though. Dan, is there something else going on regarding dependabot for Cranelift?
Dan Gohman (Dec 16 2019 at 23:36):I don't know what the rest of the context is here.
Dan Gohman (Dec 16 2019 at 23:37):I do know that dependabot has been something of an experiment, and so far, my experience is that it's far too "busy". I don't need to wake up to 15 dependabot emails with minor-rev-bump pull requests.
Dan Gohman (Dec 16 2019 at 23:38):So changing it to be sec update only sounds good to me.
Dan Gohman (Dec 16 2019 at 23:41):(Also, dependabot doesn't seem to understand when one of my dependencies has a dependency on another that requires both to be updated at the same time, so not only does it submit many small PRs when one big one would be easier to review and manage, those small PRs are often broken.)
Last updated: Nov 22 2024 at 16:03 UTC