You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The dependabot settings are inherited from upstream and this bot does not necessarily help for forked project like this.
The reason is that we get spam of updates of single package updated on EACH release branch (rate limited by dependabot). This causes issues:
It's not scalable to update single package in random time on random release branch especially manually. In fact we were not touching it so bot paused:
Every single update is essentially a "patch" that will make it much harder to sync e.g. patch version from Prometheus later on. It is also unsure if we should trigger expensive and time consuming release for each update or not?
I would suggest we disable the bot for now. If we need security updates on certain deps on certain release we might want to rather fix upstream OR manually patch version and only do that if absolutely necessary.
If we really want spam of PRs with dep updates and we want to all release branches to have all the latest deps (I don't think we want/need that), I would suggest we reconfigure dependabot to do batch upgrades, so it's managable.
The text was updated successfully, but these errors were encountered:
Why? We've been merging Dependabot issues in the prometheus-engine repository. They're really useful, especially since at the end of this month, we'll need to start merging those to meet vulnerability requirements.
bwplotka
changed the title
Disable dependabot.
Disable (or adjust) dependabot.
Jul 5, 2023
The dependabot settings are inherited from upstream and this bot does not necessarily help for forked project like this.
The reason is that we get spam of updates of single package updated on EACH release branch (rate limited by dependabot). This causes issues:
I would suggest we disable the bot for now. If we need security updates on certain deps on certain release we might want to rather fix upstream OR manually patch version and only do that if absolutely necessary.
If we really want spam of PRs with dep updates and we want to all release branches to have all the latest deps (I don't think we want/need that), I would suggest we reconfigure dependabot to do batch upgrades, so it's managable.
The text was updated successfully, but these errors were encountered: