<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Having used it for a week now, and not being one of the developers, let me give my perspective :)</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">It’s *super useful* for updating those sort of dependencies as it does one gem per PR, and over time will slowly creep your app forward, letting you resolve one problem at a time. I’m doing exactly that on a bunch of old apps that have exactly that sort of dependency chain, and it’s working great. There might well be something it can’t resolve, but that will become clear once the rest are done. It’s probably not perfect but I’m finding it useful, for sure.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">As for making sure things don’t break, well… you’ve got tests right? ;)</div> <br> <div class="bloop_sign" id="bloop_sign_1496746246547781888"><div style="font-family:helvetica,arial;font-size:13px">cheers,<br>James Smith<br></div></div> <br><p class="airmail_on">On 6 June 2017 at 11:49:09, Jesse Waites (<a href="mailto:jesse.waites@gmail.com">jesse.waites@gmail.com</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div><div></div><div>
<title></title>
<div dir="ltr">I'm not understanding quite how this will work
in a real world situation. For example, I tried to add rails_admin
to a project last
<div>week. Turns out that rails_admin depends on Kaminari, which
uses the same helper as some other pagination system I had already
installed. Solving that problem was a pain. </div>
<div><br></div>
<div>It seems to me that, especially in older rails applications,
things end up in kind of a delicate situation. X gem has a
dependency on Y gem no higher than the 1,5 version, which means I
have to use an older version of X because Z gem depends on it...
Hopefully some of you have experienced this and know what I mean.
So in situations like that, I'm not sure how useful automating it
would be. But I guess you could just lock those and automatically
update everything else?</div>
<div><br></div>
<div>I'm also wondering how you could be sure the app doesn't due
to updating gems from this tool. </div>
<div><br></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, May 31, 2017 at 6:07 AM, Harry
Marr <span dir="ltr"><<a href="mailto:harry.marr@gmail.com" target="_blank">harry.marr@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Yes - good point Ben. Using Snyk would definitely
mitigate the risk of moving to less regular updating. We'll get
weekly updating implemented ASAP :-)</div>
<div class="HOEnZb">
<div class="h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, May 31, 2017 at 11:02 AM, Ben
Lovell <span dir="ltr"><<a href="mailto:benjamin.lovell@gmail.com" target="_blank">benjamin.lovell@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote"><span>On 31 May 2017 at 10:59, Harry Marr
<span dir="ltr"><<a href="mailto:harry.marr@gmail.com" target="_blank">harry.marr@gmail.com</a>></span> wrote:<br></span>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">Thanks Stuart!
<div><br></div>
<div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<span class="m_3821748899637643396m_-4592502169118194276gmail-">We’ve had it
running with some of the ODI gems, and it’s a tad noisy to get PRs
on a daily basis. Could there be an option to do it
weekly?</span></blockquote>
<div><span class="m_3821748899637643396m_-4592502169118194276gmail-"><br></span></div>
<div>The advantage of daily bumping is you'll pull in vulnerability
fixes faster,</div>
</div>
</div>
</blockquote>
<div><br></div>
<div>Snyk <a href="https://snyk.io/" target="_blank">https://snyk.io/</a> is worth an honourable mention
here.<br></div>
<div>
<div class="m_3821748899637643396h5">
<div> </div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>
<div>but I can definitely see the argument for a less noisy mode
though, so we'll add weekly bumping as an option. Longer term we
may keep track of vulnerabilities, which would let us bump
vulnerable gems immediately, while doing the standard bumping run
less regularly.</div>
<div><span class="m_3821748899637643396m_-4592502169118194276gmail-"> </span></div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<span class="m_3821748899637643396m_-4592502169118194276gmail-">I’ve also
noticed that it seems to default to only one organisation, and I
can’t seem to work out how to manage personal repos or any other
orgs?</span></blockquote>
</div>
<div><br></div>
<div>This is because we're using GitHub's new <a href="https://developer.github.com/apps/" target="_blank">apps</a> API
(formerly known as <a href="https://developer.github.com/changes/2017-04-25-Integrations-Pre-Release/" target="_blank">integrations</a>). Unlike traditional OAuth
integrations, you install the app to each GitHub account (org or
your personal account) individually, and can give access to only
specific repos within the account.</div>
<div><br></div>
<div>To add accounts to Dependabot, click the dropdown in the top
right and select "Add account". We're aware this is not totally
intuitive, so we'll have a think about how we could make it
clearer!</div>
<div><br></div>
<div>Thanks again - that's really helpful feedback.</div>
<div><br></div>
</div>
<div class="m_3821748899637643396m_-4592502169118194276gmail-HOEnZb">
<div class="m_3821748899637643396m_-4592502169118194276gmail-h5">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, May 31, 2017 at 9:31 AM, Stuart
Harrison <span dir="ltr"><<a href="mailto:pezholio@gmail.com" target="_blank">pezholio@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="word-wrap:break-word">
<div id="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgb(0,0,0);margin:0px">
I love this, thank you! (for the record, I worked with James at the
Open Data Institute on Bimble)</div>
<div><br></div>
We’ve had it running with some of the ODI gems, and it’s a tad
noisy to get PRs on a daily basis. Could there be an option to do
it weekly? When I was at the ODI, this is what we did with Bimble,
and this meant we had some time scheduled to review all the
updates, check the tests passed and merge.
<div><br></div>
<div>I’ve also noticed that it seems to default to only one
organisation, and I can’t seem to work out how to manage personal
repos or any other orgs?</div>
<div><br></div>
<div>Other than that, it looks awesome! :)</div>
<div>
<div class="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653h5">
<div>
<div id="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358bloop_sign_1496219217367667968" class="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358bloop_sign">
</div>
<br>
<p class="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358airmail_on">
On 30 May 2017 at 21:11:00, Mark Burns (<a href="mailto:markthedeveloper@gmail.com" target="_blank">markthedeveloper@gmail.com</a>) wrote:</p>
<blockquote type="cite" class="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358clean_bq">
<div>
<div><span>I think if I used this, I'd like the option to update
dependencies of dependencies. Otherwise, you may have a false sense
of security. Other tools would still flag them leaving it as a
manual step.<br>
<br>
Perhaps the dependency chain to your app's dependencies could be
highlighted in the PR description. The title could also be
different to make it less confusing.<br></span>
<div class="gmail_quote">
<div dir="ltr"><span>On Tue, 30 May 2017 at 23:48, Harry Marr
<<a href="mailto:harry.marr@gmail.com" target="_blank">harry.marr@gmail.com</a>> wrote:<br></span></div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div><span>Thanks James, I'm glad you find it useful!</span></div>
<div><span><br></span></div>
<div><span>So far we've deferred doing anything with git
dependencies (including those specified in the Gemfile), but we're
very aware we'll need to tackle them at some point! Handling
dependencies that specify a tag would be tough - everyone uses
different tagging schemes, and just using the most recently created
could be dangerous - but dealing with branches should be relatively
easy.</span></div>
</div>
<div dir="ltr">
<div><span><br></span>
<div class="gmail_quote">
<div><span>On Tue, 30 May 2017 at 14:32, James Smith <<a href="mailto:james@floppy.org.uk" target="_blank">james@floppy.org.uk</a>> wrote:<br></span></div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="word-wrap:break-word">
<div id="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358m_8567237508203902774m_4852131179407009737m_-4822114200331305581bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgb(0,0,0);margin:0px">
<span>Harry, </span></div>
<div id="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358m_8567237508203902774m_4852131179407009737m_-4822114200331305581bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgb(0,0,0);margin:0px">
<span><br></span></div>
<div id="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358m_8567237508203902774m_4852131179407009737m_-4822114200331305581bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgb(0,0,0);margin:0px">
<span>This is bloody brilliant, thankyou. We wrote something
similar at the Open Data Institute to do dependencies for us
(<a href="https://github.com/theodi/bimble" target="_blank">https://github.com/theodi/bim<wbr>ble</a>), and always
meant to turn it into a proper SaaS thing, but never got time.
Thankyou for doing it so we don’t have to :)</span></div>
<div id="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358m_8567237508203902774m_4852131179407009737m_-4822114200331305581bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgb(0,0,0);margin:0px">
<span><br></span></div>
<div id="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358m_8567237508203902774m_4852131179407009737m_-4822114200331305581bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;color:rgb(0,0,0);margin:0px">
<span>I’ll give you bonus points if you can do git submodules too
:)</span></div>
<span><br></span>
<div class="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358m_8567237508203902774m_4852131179407009737m_-4822114200331305581bloop_sign" id="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358m_8567237508203902774m_4852131179407009737m_-4822114200331305581bloop_sign_1496151036463767040">
<div style="font-family:helvetica,arial;font-size:13px">
<span>cheers,<br>
James Smith<br></span></div>
</div>
</div>
<div style="word-wrap:break-word"><span><br></span>
<p class="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358m_8567237508203902774m_4852131179407009737m_-4822114200331305581airmail_on">
<span>On 30 May 2017 at 14:08:31, Harry Marr (<a href="mailto:harry.marr@gmail.com" target="_blank">harry.marr@gmail.com</a>) wrote:</span></p>
</div>
<div style="word-wrap:break-word">
<blockquote type="cite" class="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358m_8567237508203902774m_4852131179407009737m_-4822114200331305581clean_bq">
<div>
<div>
<div><span><span><span style="font-size:12.8px">El Rug,
hola!</span></span></span>
<div style="font-size:12.8px"><br></div>
<div style="font-size:12.8px">A friend and I just
released <a href="https://dependabot.com/" target="_blank">Dependabot</a>, a tool (built in Ruby) for automatically
keeping Ruby & JS dependencies up-to-date. We'd love any
feedback -- does this match your ideal flow for keeping your
Gemfile{,.lock} up-to-date? If not, what would you like to see it
do differently?</div>
<div style="font-size:12.8px"><br></div>
<div style="font-size:12.8px">Currently it'll run each morning and
create a GitHub PR for each dependency that needs bumping. We've
seen other tools that submit one big PR for all updates, but we
found those PRs much harder to review, and much risker to merge.
That said, more PRs is a bit noisier, so there is a tradeoff.</div>
<div style="font-size:12.8px"><br></div>
<div style="font-size:12.8px">Another thing to note: we won't
proactively bump sub-dependencies - they only get bumped when the
top-level dependency gets updated (e.g. <i>arel</i> will
only get updated
when <i>activerecord</i> or <i>rails</i> get<wbr>s
updated). I'd particularly like to hear thoughts on this one. If we
did bump sub-dependencies, the volume of PRs would dramatically
increase, and could be quite confusing ("what's loofah?! oh, a
sub-sub-dependency of rails...."). However, not bumping means we
could miss out on important patches.</div>
<div style="font-size:12.8px"><br></div>
<div style="font-size:12.8px">We also wrote up a few blog posts
explaining:</div>
<div style="font-size:12.8px">
<ul>
<li style="margin-left:15px"><a href="https://dependabot.com/blog/introducing-dependabot" target="_blank">what Dependabot is</a>,</li>
<li style="margin-left:15px"><a href="https://dependabot.com/blog/why-bother" target="_blank">why we
think staying up-to-date is worthwhile</a>,</li>
<li style="margin-left:15px">and <a href="https://dependabot.com/blog/the-latest-dependency-version-is-probably-the-most-secure" target="_blank">the impact of staying up-to-date on responding to
security issues</a><br></li>
</ul>
</div>
<div style="font-size:12.8px">Look forward to hearing your
thoughts!</div>
<div style="font-size:12.8px"><br></div>
<div style="font-size:12.8px">Harry</div>
<div class="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358m_8567237508203902774m_4852131179407009737m_-4822114200331305581gmail-yj6qo m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358m_8567237508203902774m_4852131179407009737m_-4822114200331305581gmail-ajU" style="margin:2px 0px 0px;font-size:12.8px"></div>
</div>
</div>
</div>
</blockquote>
</div>
<div style="word-wrap:break-word">
<blockquote type="cite" class="m_3821748899637643396m_-4592502169118194276gmail-m_-2107045702076330653m_-2316739253536516358m_8567237508203902774m_4852131179407009737m_-4822114200331305581clean_bq">
<div>
<div>
<span>______________________________<wbr>_________________<br>
Chat mailing list<br>
<a href="mailto:Chat@lists.lrug.org" target="_blank">Chat@lists.lrug.org</a><br>
Archives: <a href="http://lists.lrug.org/pipermail/chat-lrug.org" target="_blank">http://lists.lrug.org/pipermai<wbr>l/chat-lrug.org</a><br>
Manage your subscription: <a href="http://lists.lrug.org/options.cgi/chat-lrug.org" target="_blank">http://lists.lrug.org/options.<wbr>cgi/chat-lrug.org</a><br>
List info: <a href="http://lists.lrug.org/listinfo.cgi/chat-lrug.org" target="_blank">http://lists.lrug.org/listinfo<wbr>.cgi/chat-lrug.org</a><br>
</span></div>
</div>
</blockquote>
</div>
______________________________<wbr>_________________<br>
Chat mailing list<br>
<a href="mailto:Chat@lists.lrug.org" target="_blank">Chat@lists.lrug.org</a><br>
Archives: <a href="http://lists.lrug.org/pipermail/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/pipermai<wbr>l/chat-lrug.org</a><br>
Manage your subscription: <a href="http://lists.lrug.org/options.cgi/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/options.<wbr>cgi/chat-lrug.org</a><br>
List info: <a href="http://lists.lrug.org/listinfo.cgi/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/listinfo<wbr>.cgi/chat-lrug.org</a><br>
</blockquote>
</div>
</div>
</div>
______________________________<wbr>_________________<br>
Chat mailing list<br>
<a href="mailto:Chat@lists.lrug.org" target="_blank">Chat@lists.lrug.org</a><br>
Archives: <a href="http://lists.lrug.org/pipermail/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/pipermai<wbr>l/chat-lrug.org</a><br>
Manage your subscription: <a href="http://lists.lrug.org/options.cgi/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/options.<wbr>cgi/chat-lrug.org</a><br>
List info: <a href="http://lists.lrug.org/listinfo.cgi/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/listinfo<wbr>.cgi/chat-lrug.org</a><br>
</blockquote>
</div>
______________________________<wbr>_________________<br>
Chat mailing list<br>
<a href="mailto:Chat@lists.lrug.org" target="_blank">Chat@lists.lrug.org</a><br>
Archives: <a href="http://lists.lrug.org/pipermail/chat-lrug.org" target="_blank">http://lists.lrug.org/pipermai<wbr>l/chat-lrug.org</a><br>
Manage your subscription: <a href="http://lists.lrug.org/options.cgi/chat-lrug.org" target="_blank">http://lists.lrug.org/options.<wbr>cgi/chat-lrug.org</a><br>
List info: <a href="http://lists.lrug.org/listinfo.cgi/chat-lrug.org" target="_blank">http://lists.lrug.org/listinfo<wbr>.cgi/chat-lrug.org</a><br>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
Chat mailing list<br>
<a href="mailto:Chat@lists.lrug.org" target="_blank">Chat@lists.lrug.org</a><br>
Archives: <a href="http://lists.lrug.org/pipermail/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/pipermai<wbr>l/chat-lrug.org</a><br>
Manage your subscription: <a href="http://lists.lrug.org/options.cgi/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/options.<wbr>cgi/chat-lrug.org</a><br>
List info: <a href="http://lists.lrug.org/listinfo.cgi/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/listinfo<wbr>.cgi/chat-lrug.org</a><br>
<br></blockquote>
</div>
<br></div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
Chat mailing list<br>
<a href="mailto:Chat@lists.lrug.org" target="_blank">Chat@lists.lrug.org</a><br>
Archives: <a href="http://lists.lrug.org/pipermail/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/pipermai<wbr>l/chat-lrug.org</a><br>
Manage your subscription: <a href="http://lists.lrug.org/options.cgi/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/options.<wbr>cgi/chat-lrug.org</a><br>
List info: <a href="http://lists.lrug.org/listinfo.cgi/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/listinfo<wbr>.cgi/chat-lrug.org</a><br>
<br></blockquote>
</div>
</div>
</div>
<br></div>
</div>
<br>
______________________________<wbr>_________________<br>
Chat mailing list<br>
<a href="mailto:Chat@lists.lrug.org" target="_blank">Chat@lists.lrug.org</a><br>
Archives: <a href="http://lists.lrug.org/pipermail/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/pipermai<wbr>l/chat-lrug.org</a><br>
Manage your subscription: <a href="http://lists.lrug.org/options.cgi/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/options.<wbr>cgi/chat-lrug.org</a><br>
List info: <a href="http://lists.lrug.org/listinfo.cgi/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/listinfo<wbr>.cgi/chat-lrug.org</a><br>
<br></blockquote>
</div>
<br></div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
Chat mailing list<br>
<a href="mailto:Chat@lists.lrug.org">Chat@lists.lrug.org</a><br>
Archives: <a href="http://lists.lrug.org/pipermail/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/<wbr>pipermail/chat-lrug.org</a><br>
Manage your subscription: <a href="http://lists.lrug.org/options.cgi/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/options.<wbr>cgi/chat-lrug.org</a><br>
List info: <a href="http://lists.lrug.org/listinfo.cgi/chat-lrug.org" rel="noreferrer" target="_blank">http://lists.lrug.org/<wbr>listinfo.cgi/chat-lrug.org</a><br>
<br></blockquote>
</div>
<br>
<br clear="all">
<div><br></div>
--<br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div>
<div dir="ltr">
<div dir="ltr">
<div>Jesse Waites</div>
<div>Web Developer</div>
<div><a href="http://JesseWaites.com" target="_blank">JesseWaites.com</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
_______________________________________________
<br>Chat mailing list
<br>Chat@lists.lrug.org
<br>Archives: http://lists.lrug.org/pipermail/chat-lrug.org
<br>Manage your subscription: http://lists.lrug.org/options.cgi/chat-lrug.org
<br>List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
<br></div></div></span></blockquote></body></html>