Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automatic update dependencys #2754

Open
BDVGitHub opened this issue Jan 3, 2025 · 3 comments
Open

Automatic update dependencys #2754

BDVGitHub opened this issue Jan 3, 2025 · 3 comments

Comments

@BDVGitHub
Copy link

Is it possible to use Dependabot to keep dependencys up to date? (more info on dependabot) Or alternatively Renovatebot is also an option.

@simonpoole
Copy link
Collaborator

What problem do you believe that using dependabot would solve?

PS: we used to use, years before dependabot was a thing a service to check for potentially up-dateable dependencies, so it isn't as if this is a new idea.

@BDVGitHub
Copy link
Author

BDVGitHub commented Jan 3, 2025

Dependabot consists of three different features that help you manage your dependencies:

  • Dependabot alerts: Inform you about vulnerabilities in the dependencies that you use in your repository.
  • Dependabot security updates: Automatically raise pull requests to update the dependencies you use that have known security vulnerabilities.
  • Dependabot version updates: Automatically raise pull requests to keep your dependencies up-to-date.

So you can choose in which case you get an alert and do not have to manually check the depedencies whether they need to be updated.

You can set the frequency that Dependabot will check for new versions for each defined package manager, modify the max limit of pull requests opened for version updates, explicitly ignore specific dependencies, versions and update-types, assigns reviewers to automatic pull requests.

So the problem that dependabot (or something simular) would solve is that you don't have to manualy look for dependencys updates.

@simonpoole
Copy link
Collaborator

So the problem that dependabot (or something simular) would solve is that you don't have to manualy look for dependencys updates.

Gradles built in dependencyUpdates task already produces a list of of updated dependencies, it doesn't contain as much information as dependabot but as every dependency change needs to be evaluated and tested on its own, it is questionable as if that really helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants