[LRUG] Automated gem updates
Harry Marr
harry.marr at gmail.com
Tue May 30 06:07:47 PDT 2017
El Rug, hola!
A friend and I just released Dependabot <https://dependabot.com/>, a tool
(built in Ruby) for automatically keeping Ruby & JS dependencies
up-to-date. We'd love any feedback -- does this match your ideal flow for
keeping your Gemfile{,.lock} up-to-date? If not, what would you like to see
it do differently?
Currently it'll run each morning and create a GitHub PR for each dependency
that needs bumping. We've seen other tools that submit one big PR for all
updates, but we found those PRs much harder to review, and much risker to
merge. That said, more PRs is a bit noisier, so there is a tradeoff.
Another thing to note: we won't proactively bump sub-dependencies - they
only get bumped when the top-level dependency gets updated (e.g. *arel* will
only get updated when *activerecord* or *rails* gets updated). I'd
particularly like to hear thoughts on this one. If we did bump
sub-dependencies, the volume of PRs would dramatically increase, and could
be quite confusing ("what's loofah?! oh, a sub-sub-dependency of
rails...."). However, not bumping means we could miss out on important
patches.
We also wrote up a few blog posts explaining:
- what Dependabot is <https://dependabot.com/blog/introducing-dependabot>
,
- why we think staying up-to-date is worthwhile
<https://dependabot.com/blog/why-bother>,
- and the impact of staying up-to-date on responding to security issues
<https://dependabot.com/blog/the-latest-dependency-version-is-probably-the-most-secure>
Look forward to hearing your thoughts!
Harry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20170530/152a95cb/attachment.html>
More information about the Chat
mailing list