[LRUG] Automated gem updates

James Smith james at floppy.org.uk
Tue May 30 06:32:05 PDT 2017


Harry, 

This is bloody brilliant, thankyou. We wrote something similar at the Open Data Institute to do dependencies for us (https://github.com/theodi/bimble), and always meant to turn it into a proper SaaS thing, but never got time. Thankyou for doing it so we don’t have to :)

I’ll give you bonus points if you can do git submodules too :)

cheers,
James Smith

On 30 May 2017 at 14:08:31, Harry Marr (harry.marr at gmail.com) wrote:

El Rug, hola!

A friend and I just released Dependabot, a tool (built in Ruby) for automatically keeping Ruby & JS dependencies up-to-date. We'd love any feedback -- does this match your ideal flow for keeping your Gemfile{,.lock} up-to-date? If not, what would you like to see it do differently?

Currently it'll run each morning and create a GitHub PR for each dependency that needs bumping. We've seen other tools that submit one big PR for all updates, but we found those PRs much harder to review, and much risker to merge. That said, more PRs is a bit noisier, so there is a tradeoff.

Another thing to note: we won't proactively bump sub-dependencies - they only get bumped when the top-level dependency gets updated (e.g. arel will only get updated when activerecord or rails gets updated). I'd particularly like to hear thoughts on this one. If we did bump sub-dependencies, the volume of PRs would dramatically increase, and could be quite confusing ("what's loofah?! oh, a sub-sub-dependency of rails...."). However, not bumping means we could miss out on important patches.

We also wrote up a few blog posts explaining:
what Dependabot is,
why we think staying up-to-date is worthwhile,
and the impact of staying up-to-date on responding to security issues
Look forward to hearing your thoughts!

Harry
_______________________________________________  
Chat mailing list  
Chat at lists.lrug.org  
Archives: http://lists.lrug.org/pipermail/chat-lrug.org  
Manage your subscription: http://lists.lrug.org/options.cgi/chat-lrug.org  
List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20170530/bbfee28b/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Message signed with OpenPGP using AMPGpg
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20170530/bbfee28b/attachment-0002.sig>


More information about the Chat mailing list