Commits on Dec 12, 2020

1. Reduce Dependabot PR noise for NPM package ecosystem …

   To reduce the noise of too many PRs from NPM dependencies, where most of
   them are only scoped for (local) development, two optimizations have
   been made:
   
   1. The schedule changed to the `monthly` interval [1].
      This is still enough to keep up with the fast updates in the NPM
      ecosystem.
   2. Only watch production packages (`dependencies`) and ignore
      development packages (`devDependencies`).
      The packages used for local or CI/CD development purposes are not
      required to be the latest version just for the sake of being
      up-to-date without a specific need or benefit.
   
   Since GitHub takes security really serious [2], important Dependabot
   security updates [3] are triggered manually by a security advisor so
   there is no risk of missing important versions bumps when reducing the
   schedule interval.
   
     "Use the `allow` option to customize which dependencies are updated.
     This has no impact on security updates for vulnerable dependencies."
   
   [1]: https://docs.github.com/en/free-pro-team@latest/github/administering-a-repository/configuration-options-for-dependency-updates#scheduleinterval
   [2]: https://github.com/security
   [3]: https://docs.github.com/en/free-pro-team@latest/github/managing-security-vulnerabilities/about-dependabot-security-updates
   
   GH-65

   

   svengreb committed Dec 12, 2020
   Configuration menu

   • View commit details
   • Copy full SHA for 22ecca6
   • Browse repository at this point

   Copy the full SHA

   22ecca6 View commit details

   Browse the repository at this point in the history