Dependabot
#3322
Comments
|
@sabify, can I try it. |
|
Frankly the reason we removed it was that the PRs were, for the most part, completely useless. We do not need to add a lock file in order to add Dependabot in order to have it make PRs to bump patch releases of dependencies. Cargo will do this on its own and the notification spam made actual project maintenance harder. I'm open to other configurations, but the main goal here would be to limit bot PRs to actual updates. |
|
I agree, I would be in favor of this as a CI step during releases, but mostly it is a giant pain for the day to day |
|
It seems the most useful update strategy doesn't work in cargo version of dependabot, And because of that some switched to renovate like Astral (astral-sh/uv#2653). |
|
offtopic: |
Dependabothas been removed in 21f26e7 and I think it is due to PR pollution caused by this bot. I believe it is still worth keeping it but have fewer opened PRs by this bot. It can easily be achieved by:open-pull-requests-limit: 3.leptoshas pretty large dependencies and keeping them up-to-date manually can be time-consuming and keeping them up-to-date is essential for security and stability. By limiting the open pull requests to three, we maintain a manageable workflow while staying current with dependency changes. This not only enhances our project's reliability but also frees up time for the team to focus on new features and improvements.The text was updated successfully, but these errors were encountered: