(moving discussion from slack to accessible space)
@Benjamin Bouvier:
i was wondering if dependabot had been disabled? (maybe during the move to the bytecode alliance?)
I am not sure if I was the one who set up dependabot in the first place. I don't think I have admin rights for the repo, maybe it was @Till Schneidereit? In any case, I can definitely believe that the org move broke it. FWIW, I do think it is worth setting up again.
We talked last week a bit about which settings to use for it, and I think we came to the conclusion that we should only auto-merge for sec updates (although this was in the context of wasmtime rather than cranelift specifically) to balance keeping deps up-to-date vs supply chain attacks. We would manually review the other dep updates, IIRC. Not sure if we want this same policy for cranelift or not.
The discussion about switching to security fixes only is the only conversation I remember about this. I do vaguely remember @Dan Gohman saying something about dependabot updates having changed, though. Dan, is there something else going on regarding dependabot for Cranelift?
I don't know what the rest of the context is here.
I do know that dependabot has been something of an experiment, and so far, my experience is that it's far too "busy". I don't need to wake up to 15 dependabot emails with minor-rev-bump pull requests.
So changing it to be sec update only sounds good to me.
(Also, dependabot doesn't seem to understand when one of my dependencies has a dependency on another that requires both to be updated at the same time, so not only does it submit many small PRs when one big one would be easier to review and manage, those small PRs are often broken.)
Last updated: Dec 23 2024 at 12:05 UTC