[LRUG] Automated gem updates

Mark Burns markthedeveloper at gmail.com
Tue May 30 13:10:31 PDT 2017


I think if I used this, I'd like the option to update dependencies of
dependencies. Otherwise, you may have a false sense of security. Other
tools would still flag them leaving it as a manual step.

Perhaps the dependency chain to your app's dependencies could be
highlighted in the PR description. The title could also be different to
make it less confusing.
On Tue, 30 May 2017 at 23:48, Harry Marr <harry.marr at gmail.com> wrote:

> Thanks James, I'm glad you find it useful!
>
> So far we've deferred doing anything with git dependencies (including
> those specified in the Gemfile), but we're very aware we'll need to tackle
> them at some point! Handling dependencies that specify a tag would be tough
> - everyone uses different tagging schemes, and just using the most recently
> created could be dangerous - but dealing with branches should be relatively
> easy.
>
> On Tue, 30 May 2017 at 14:32, James Smith <james at floppy.org.uk> wrote:
>
>> Harry,
>>
>> This is bloody brilliant, thankyou. We wrote something similar at the
>> Open Data Institute to do dependencies for us (
>> https://github.com/theodi/bimble), and always meant to turn it into a
>> proper SaaS thing, but never got time. Thankyou for doing it so we don’t
>> have to :)
>>
>> I’ll give you bonus points if you can do git submodules too :)
>>
>> cheers,
>> James Smith
>>
>> On 30 May 2017 at 14:08:31, Harry Marr (harry.marr at gmail.com) wrote:
>>
>> El Rug, hola!
>>
>> A friend and I just released Dependabot <https://dependabot.com/>, a
>> tool (built in Ruby) for automatically keeping Ruby & JS dependencies
>> up-to-date. We'd love any feedback -- does this match your ideal flow for
>> keeping your Gemfile{,.lock} up-to-date? If not, what would you like to see
>> it do differently?
>>
>> Currently it'll run each morning and create a GitHub PR for each
>> dependency that needs bumping. We've seen other tools that submit one big
>> PR for all updates, but we found those PRs much harder to review, and much
>> risker to merge. That said, more PRs is a bit noisier, so there is a
>> tradeoff.
>>
>> Another thing to note: we won't proactively bump sub-dependencies - they
>> only get bumped when the top-level dependency gets updated (e.g. *arel* will
>> only get updated when *activerecord* or *rails* gets updated). I'd
>> particularly like to hear thoughts on this one. If we did bump
>> sub-dependencies, the volume of PRs would dramatically increase, and could
>> be quite confusing ("what's loofah?! oh, a sub-sub-dependency of
>> rails...."). However, not bumping means we could miss out on important
>> patches.
>>
>> We also wrote up a few blog posts explaining:
>>
>>    - what Dependabot is
>>    <https://dependabot.com/blog/introducing-dependabot>,
>>    - why we think staying up-to-date is worthwhile
>>    <https://dependabot.com/blog/why-bother>,
>>    - and the impact of staying up-to-date on responding to security
>>    issues
>>    <https://dependabot.com/blog/the-latest-dependency-version-is-probably-the-most-secure>
>>
>> Look forward to hearing your thoughts!
>>
>> Harry
>>
>> _______________________________________________
>> Chat mailing list
>> Chat at lists.lrug.org
>> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
>> Manage your subscription: http://lists.lrug.org/options.cgi/chat-lrug.org
>> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>
>> _______________________________________________
>> Chat mailing list
>> Chat at lists.lrug.org
>> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
>> Manage your subscription: http://lists.lrug.org/options.cgi/chat-lrug.org
>> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
> Manage your subscription: http://lists.lrug.org/options.cgi/chat-lrug.org
> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20170530/f106c262/attachment-0002.html>


More information about the Chat mailing list