[openstreetmap/openstreetmap-website] Turn off dependabot? (#2992)

Andy Allan notifications at github.com
Wed Dec 2 11:03:14 UTC 2020


I find the dependabot PRs to be distracting and a little annoying, due to the way that they work. Dependabot makes a PR for every patch release of every dependency, not just security updates. However, Dependabot [currently has no support for grouped requests](https://github.com/dependabot/dependabot-core/issues/1190), so every gem or node module update gets its own PR. Since we have over 80 gems and (120 node modules), and some of them are updated frequently (e.g. AWS), the stream of PRs is never ending. The PRs are also mostly unimportant.

Some tallying shows that of the 222 PRs opened since we enabled dependabot in June, 137 (62%) are dependabot, and 85 by other people. As well as annoying me, I worry that the endless stream of (unimportant) dependabot notifications might cause other people to turn off notifications entirely and stop being involved in this repo.

So I would like to turn them off, at least until support for grouped requests is available. In the meantime, we can run `bundle update` or `yarn upgrade` every week or two if we want to keep up with the patch releases.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/2992
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20201202/f25aa831/attachment.htm>


More information about the rails-dev mailing list