Author Topic: dependabot  (Read 7365 times)

Mike

  • Jackass In Charge
  • Posts: 11270
  • Karma: +168/-32
  • Ex Asshole - a better and more caring person.
dependabot
« on: November 09, 2020, 11:51:07 AM »
Wondering how many of you are using dependabot on GitHub.  If you don't know, it is a bot now owned by GitHub that looks at your dependencies files and will open PRs to updated them as new releases are made.  Additionally, it will also alert you if one of the dependencies does a security fix.

I started using it a couple months ago and I love it.  It took a couple of weeks of tweaking the schedule, target branch, and process to get it to fit into our process but it is so worth it.  I've got it scheduled to run weekly on Sundays.  So, Monday mornings I review the changes, approve them, and tell the bot to merge it.  I then bring them into the dev branch for regular testing.  All the PRs are sent through our test suite just like everything else.

This totally beats our previous manual process of monthly (which often becomes every-other-month) review and update.

hans

  • Guitar Addict
  • Jackass In Charge
  • Posts: 3539
  • Karma: +46/-18
Re: dependabot
« Reply #1 on: November 09, 2020, 01:28:35 PM »
We have it running on our main repos.
This signature intentionally left blank.

ober

  • Ashton Shagger
  • Ass Wipe
  • Posts: 14337
  • Karma: +73/-790
  • mini-ober is taking over
    • Windy Hill Web Solutions
Re: dependabot
« Reply #2 on: November 10, 2020, 12:31:48 AM »
We have it on all of our Github repos and it is awesome.  Unfortunately (for this reason only), we're moving everything to Azure DevOps repos and I haven't found an equivalent scanner there.  But who knows what MS will do.  I can't imagine they will keep both repos forever.  I wish Sonarcloud would implement a package scanner.  Or maybe we just need to give in and get Veracode.

Mike

  • Jackass In Charge
  • Posts: 11270
  • Karma: +168/-32
  • Ex Asshole - a better and more caring person.
Re: dependabot
« Reply #3 on: November 10, 2020, 09:12:46 AM »
Well, given that MS owns GitHub I wouldn't be surprised if it got ported there as well.

ober

  • Ashton Shagger
  • Ass Wipe
  • Posts: 14337
  • Karma: +73/-790
  • mini-ober is taking over
    • Windy Hill Web Solutions
Re: dependabot
« Reply #4 on: November 10, 2020, 11:05:11 AM »
I wish they would make a decision.  It could have a big impact on us.