Skip to content

Commit

Permalink
Reduce Dependabot PR noise for NPM package ecosystem
Browse files Browse the repository at this point in the history
To reduce the noise of too many PRs from NPM dependencies, where most of
them are only scoped for (local) development, two optimizations have
been made:

1. The schedule changed to the `monthly` interval [1].
   This is still enough to keep up with the fast updates in the NPM
   ecosystem.
2. Only watch production packages (`dependencies`) and ignore
   development packages (`devDependencies`).
   The packages used for local or CI/CD development purposes are not
   required to be the latest version just for the sake of being
   up-to-date without a specific need or benefit.

Since GitHub takes security really serious [2], important Dependabot
security updates [3] are triggered manually by a security advisor so
there is no risk of missing important versions bumps when reducing the
schedule interval.

  "Use the `allow` option to customize which dependencies are updated.
  This has no impact on security updates for vulnerable dependencies."

[1]: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates#scheduleinterval
[2]: https://github.com/security
[3]: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-dependabot-security-updates

GH-65
  • Loading branch information
svengreb committed Dec 12, 2020
1 parent 3528754 commit 22ecca6
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,9 @@ updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
interval: "monthly"
allow:
- dependency-type: "production"
reviewers:
- "svengreb"
labels:
Expand Down

0 comments on commit 22ecca6

Please # to comment.