Jeff TriplettHappy inbox full of dependabot updates to everyone, and why are we still using this tool?
Joe Kaufeld@webology What would you prefer to use? I really like that there's at least _something_ watching my back for important updates
@itsthejoker Something that can handle UV would be nice (we finally have an alpha though that sort-of works)
It's more miss than hit for me lately. I should re-review the docs to see what's changed in case there are better "only let me know when there is a security update" options.
Instead, I have a small fleet of scripts, which more or less are the missing brain to dependabot to know when to auto-merge and when to just close the PR and see if it fixes it next week.
Seth Larson@webology @itsthejoker The funny thing is, to configure a "security fixes only" mode you configure Dependabot and then set no schedule. I believe Dependabot sends you security updates regardless of a schedule being configured.
Chris is.@sethmlarson @webology @itsthejoker I'd love to understand the ideal case here better. I find dependabot's default mode pretty irritating myself, but I'm having a hard time articulating why other than "I don't like emails"
jeromekelleher
David Lord 
@offby1 @sethmlarson @webology @itsthejoker I blogged about why I disabled Dependabot: https://davidism.com/disabling-scheduled-dependency-updates/ The notifications were relentless and overwhelming, and generally not helpful for libraries, where pins are for reproducible dev envs, not deployments.
@davidism @offby1 @sethmlarson @itsthejoker
This is great. I had this in the back of my mind when I was posting today.
I'm not quite to the point of leaving it totally behind because it is useful for clients, but I'm tired of the Monday flood of 20+ notifications.
@webology @davidism @offby1 @itsthejoker
You may already be doing so, but if you're using Dependabot for apps I highly recommend using groups. The default behavior of one-PR-per-dependency is so spammy and wasteful of CI time.
KungFuDiscoMonkey@webology @davidism @offby1 @sethmlarson @itsthejoker
It’s a mild annoyance for my own projects, but a far bigger annoyance if you want to follow other projects development. In that case I really only care about following PRs that do something, not necessarily every intermediate version bump PR.
It’s a mild annoyance for my own projects, but a far bigger annoyance if you want to follow other projects development. In that case I really only care about following PRs that do something, not necessarily every intermediate version bump PR.
Tin Tvrtković@davidism @offby1 @sethmlarson @webology @itsthejoker hard agree. I don't even see the point of it for apps. There are much better strategies for keeping up with updates that don't create a ton of garbage in the PR tab.
@tintvrtkovic @davidism @offby1 @webology @itsthejoker see: https://fosstodon.org/@sethmlarson/114139422261887940
Seth Larson (@[email protected])
@[email protected] @[email protected] @[email protected] @itsthejoker You may already be doing so, but if you're using Dependabot for apps I highly recommend using groups. The default behavior of one-PR-per-dependency is so spammy and wasteful of CI time.