You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I love to use dependabot, though when starting to use it with a typescript project, I encountered an issue: Dependabot correctly updated
the package-lock.json during a Security-Update to fix a vulnerabilty, but naturally did not update the committed index.js file that contains all code used by the module, including from dependencies.
To get more into detail: I forked GitHub's own stale-action, which has an npm script npm run build responsible for generating the index.js from typescript sources, which is then committed and used to run a composite action.
I assume npm run build is not some hard convention so Dependabot wouldn't know to run this.
So I have to manually check out that branch, compile the sources and push the resulting changes every time there's an update.
I spent some time on Google and found no existing solution. It's probably not usual practice to commit the compiled sources, so it probably doesn't come up all that often, but stale-action does do it... 🤷♂️ Has a couple advantages, so I'm not one to judge.
What I would need from Dependabot:
When a change in dependency is detected, run a script (configurable in dependabot.yml) and commit resulting pending changes.
Commit message could be configurable as well, or just add the changes to the version update commit? Could be discusssed. Maybe configurable (amending the version update commit by default but if user configured a commit-message that results in a separate commit)
Might also be nice to be able to provide file-spec patterns and/or ignore-patterns for which files should be considered for commit.
Or the commit is done by the script itself instead of adding lots of new configuration options, but dependabot must recognize those commits as part of the version update so they don't prevent later updates of the PR.
Oh, I just noticed a possible problem: The issue occurred during Security-Update, not a Version-Update configured by dependabot.yml, so the settings would need to be configured in WebUI? Not sure exactly how this works 😉
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi,
I love to use dependabot, though when starting to use it with a typescript project, I encountered an issue: Dependabot correctly updated
the package-lock.json during a Security-Update to fix a vulnerabilty, but naturally did not update the committed index.js file that contains all code used by the module, including from dependencies.
To get more into detail: I forked GitHub's own stale-action, which has an npm script
npm run build
responsible for generating the index.js from typescript sources, which is then committed and used to run a composite action.I assume
npm run build
is not some hard convention so Dependabot wouldn't know to run this.So I have to manually check out that branch, compile the sources and push the resulting changes every time there's an update.
I spent some time on Google and found no existing solution. It's probably not usual practice to commit the compiled sources, so it probably doesn't come up all that often, but stale-action does do it... 🤷♂️ Has a couple advantages, so I'm not one to judge.
What I would need from Dependabot:
When a change in dependency is detected, run a script (configurable in dependabot.yml) and commit resulting pending changes.
Commit message could be configurable as well, or just add the changes to the version update commit? Could be discusssed. Maybe configurable (amending the version update commit by default but if user configured a commit-message that results in a separate commit)
Might also be nice to be able to provide file-spec patterns and/or ignore-patterns for which files should be considered for commit.
Or the commit is done by the script itself instead of adding lots of new configuration options, but dependabot must recognize those commits as part of the version update so they don't prevent later updates of the PR.
Oh, I just noticed a possible problem: The issue occurred during Security-Update, not a Version-Update configured by dependabot.yml, so the settings would need to be configured in WebUI? Not sure exactly how this works 😉
Beta Was this translation helpful? Give feedback.
All reactions