[LRUG] Automated gem updates

Ben Lovell benjamin.lovell at gmail.com
Wed May 31 03:02:57 PDT 2017


On 31 May 2017 at 10:59, Harry Marr <harry.marr at gmail.com> wrote:

> Thanks Stuart!
>
> We’ve had it running with some of the ODI gems, and it’s a tad noisy to
>> get PRs on a daily basis. Could there be an option to do it weekly?
>
>
> The advantage of daily bumping is you'll pull in vulnerability fixes
> faster,
>

Snyk https://snyk.io/ is worth an honourable mention here.


> but I can definitely see the argument for a less noisy mode though, so
> we'll add weekly bumping as an option. Longer term we may keep track of
> vulnerabilities, which would let us bump vulnerable gems immediately, while
> doing the standard bumping run less regularly.
>
>
>> I’ve also noticed that it seems to default to only one organisation, and
>> I can’t seem to work out how to manage personal repos or any other orgs?
>
>
> This is because we're using GitHub's new apps
> <https://developer.github.com/apps/> API (formerly known as integrations
> <https://developer.github.com/changes/2017-04-25-Integrations-Pre-Release/>).
> Unlike traditional OAuth integrations, you install the app to each GitHub
> account (org or your personal account) individually, and can give access to
> only specific repos within the account.
>
> To add accounts to Dependabot, click the dropdown in the top right and
> select "Add account". We're aware this is not totally intuitive, so we'll
> have a think about how we could make it clearer!
>
> Thanks again - that's really helpful feedback.
>
>
> On Wed, May 31, 2017 at 9:31 AM, Stuart Harrison <pezholio at gmail.com>
> wrote:
>
>> I love this, thank you! (for the record, I worked with James at the Open
>> Data Institute on Bimble)
>>
>> We’ve had it running with some of the ODI gems, and it’s a tad noisy to
>> get PRs on a daily basis. Could there be an option to do it weekly? When I
>> was at the ODI, this is what we did with Bimble, and this meant we had some
>> time scheduled to review all the updates, check the tests passed and merge.
>>
>> I’ve also noticed that it seems to default to only one organisation, and
>> I can’t seem to work out how to manage personal repos or any other orgs?
>>
>> Other than that, it looks awesome! :)
>>
>> On 30 May 2017 at 21:11:00, Mark Burns (markthedeveloper at gmail.com)
>> wrote:
>>
>> I think if I used this, I'd like the option to update dependencies of
>> dependencies. Otherwise, you may have a false sense of security. Other
>> tools would still flag them leaving it as a manual step.
>>
>> Perhaps the dependency chain to your app's dependencies could be
>> highlighted in the PR description. The title could also be different to
>> make it less confusing.
>> On Tue, 30 May 2017 at 23:48, Harry Marr <harry.marr at gmail.com> wrote:
>>
>>> Thanks James, I'm glad you find it useful!
>>>
>>> So far we've deferred doing anything with git dependencies (including
>>> those specified in the Gemfile), but we're very aware we'll need to tackle
>>> them at some point! Handling dependencies that specify a tag would be tough
>>> - everyone uses different tagging schemes, and just using the most recently
>>> created could be dangerous - but dealing with branches should be relatively
>>> easy.
>>>
>>> On Tue, 30 May 2017 at 14:32, James Smith <james at floppy.org.uk> wrote:
>>>
>>>> Harry,
>>>>
>>>> This is bloody brilliant, thankyou. We wrote something similar at the
>>>> Open Data Institute to do dependencies for us (
>>>> https://github.com/theodi/bimble), and always meant to turn it into a
>>>> proper SaaS thing, but never got time. Thankyou for doing it so we don’t
>>>> have to :)
>>>>
>>>> I’ll give you bonus points if you can do git submodules too :)
>>>>
>>>> cheers,
>>>> James Smith
>>>>
>>>> On 30 May 2017 at 14:08:31, Harry Marr (harry.marr at gmail.com) wrote:
>>>>
>>>> El Rug, hola!
>>>>
>>>> A friend and I just released Dependabot <https://dependabot.com/>, a
>>>> tool (built in Ruby) for automatically keeping Ruby & JS dependencies
>>>> up-to-date. We'd love any feedback -- does this match your ideal flow for
>>>> keeping your Gemfile{,.lock} up-to-date? If not, what would you like to see
>>>> it do differently?
>>>>
>>>> Currently it'll run each morning and create a GitHub PR for each
>>>> dependency that needs bumping. We've seen other tools that submit one big
>>>> PR for all updates, but we found those PRs much harder to review, and much
>>>> risker to merge. That said, more PRs is a bit noisier, so there is a
>>>> tradeoff.
>>>>
>>>> Another thing to note: we won't proactively bump sub-dependencies -
>>>> they only get bumped when the top-level dependency gets updated (e.g.
>>>> *arel* will only get updated when *activerecord* or *rails* gets
>>>> updated). I'd particularly like to hear thoughts on this one. If we did
>>>> bump sub-dependencies, the volume of PRs would dramatically increase, and
>>>> could be quite confusing ("what's loofah?! oh, a sub-sub-dependency of
>>>> rails...."). However, not bumping means we could miss out on important
>>>> patches.
>>>>
>>>> We also wrote up a few blog posts explaining:
>>>>
>>>>    - what Dependabot is
>>>>    <https://dependabot.com/blog/introducing-dependabot>,
>>>>    - why we think staying up-to-date is worthwhile
>>>>    <https://dependabot.com/blog/why-bother>,
>>>>    - and the impact of staying up-to-date on responding to security
>>>>    issues
>>>>    <https://dependabot.com/blog/the-latest-dependency-version-is-probably-the-most-secure>
>>>>
>>>> Look forward to hearing your thoughts!
>>>>
>>>> Harry
>>>>
>>>> _______________________________________________
>>>> Chat mailing list
>>>> Chat at lists.lrug.org
>>>> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
>>>> Manage your subscription: http://lists.lrug.org/options.
>>>> cgi/chat-lrug.org
>>>> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>>>
>>>> _______________________________________________
>>>> Chat mailing list
>>>> Chat at lists.lrug.org
>>>> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
>>>> Manage your subscription: http://lists.lrug.org/options.
>>>> cgi/chat-lrug.org
>>>> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>>>
>>> _______________________________________________
>>> Chat mailing list
>>> Chat at lists.lrug.org
>>> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
>>> Manage your subscription: http://lists.lrug.org/options.
>>> cgi/chat-lrug.org
>>> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>>
>> _______________________________________________
>> Chat mailing list
>> Chat at lists.lrug.org
>> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
>> Manage your subscription: http://lists.lrug.org/options.cgi/chat-lrug.org
>> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>
>>
>> _______________________________________________
>> Chat mailing list
>> Chat at lists.lrug.org
>> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
>> Manage your subscription: http://lists.lrug.org/options.cgi/chat-lrug.org
>> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>
>>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
> Manage your subscription: http://lists.lrug.org/options.cgi/chat-lrug.org
> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20170531/1c0240d0/attachment-0002.html>


More information about the Chat mailing list