chore: fix dependabot grouping#3142
Conversation
This commit changes the ordering of Dependabot update grouping such that the predefined groups take precedence over the `npm-minor` group. Prior to this commit, major version bumps of groups (e.g. eslint) were being captured by the `npm-minor` group, causing major version bumps from the same family of packages to be split up (and likely unmergable due to peer dependencies)
| update-types: | ||
| - "patch" | ||
| - "minor" | ||
| exclude-patterns: |
There was a problem hiding this comment.
I really don't like this in terms of maintainability. However, it's the only thing I've gotten to work in a separate (private) repo while noodling on it in my own time to try to relearn how Dependabot works.
My current thought is "if it's dumb and works, maybe it's not dumb" - at least until we find a better solution and can get through the babel upgrade that Dependabot brought our way this morning.
I'm open to closing this, and/or putting a task on the board to properly investigate a better solution. This feels so much like a hack and runs contrary to a good bit of the documentation
There was a problem hiding this comment.
If this is what it takes I would rather simply eliminate all of the groups other than the minor-updates ones — which I believe Brett suggested previously. I wanted to keep the existing groups since it would theoretically let us bundle together major updates of "related" packages that would otherwise be incompatible with each other, but given major updates don't happen that often and are more likely to require some manual code changes anyway, I don't think this would be too much of a downgrade in our experience — in fact, this is the experience we already have on most other repos.
There was a problem hiding this comment.
I can support that. I'm going to close this and cross reference it in a separate PR
Remove package-specific dependency groupings from the Dependabot configuration. Prior to this commit, we were seeing cases where NPM major version updates were falling into the `npm-minor` group. This caused related packages that were peer-dependent on one another's new major version to be split into separate PRs, causing each created PR to fail. The outcome following this PR is the same, and will require manual intervention from the dev team to fix cases of broken major version updates. This simply removes the groups to avoid future maintenance. One approach in #3142 was to move `npm-minor` to the bottom of the group list, and explicitly exclude each package in any group from `npm-minor`. This was tested to fix the above issue in a separate repo, but adds maintenance burden. As a result, we choose to simply remove the groups as they exist today
Can you point to a PR where this happened? I just went looking for one and couldn't actually find it. |
|
This recently occurred in a Dependabot action run - in the logs there's:
|
|
eslint is probably somewhat of an outlier here - we're waiting on |
|
I guess (in retrospect) I would have liked to actually see a PR that has the problem you describe (a major version update being included in a PR for the |
|
The problem was rather we had 2 PRs being created (e.g. #2999 and #3139) as a consequence of them each falling into the EDIT: That's what this PR intended to fix, to combine these dependencies into a single PR |
Right... I think that was something we already knew was happening, and had just never bothered to actually delete all the named groups since it was a no-op (it wasn't doing what we wanted, and after deleting them, it still wouldn't do what we wanted, in exactly the same way).
I see, so this PR specifically would have actually fixed everything to behave the way we wanted from the start, with both working |
(To both bolded above) Correct, I saw the babel bumps this morning, and knew that this was a way to fix the config, but with that cost. Apologies if that wasn't clear - ideally there'd be a way to show what the outcome would have been w/o merging it, and can see how the description could have been interpreted differently |
Asana task: N/A
Description
This commit changes the ordering of Dependabot update grouping such that the predefined groups take precedence over the
npm-minorgroup. Prior to this commit, major version bumps of groups (e.g. eslint) were being captured by thenpm-minorgroup, causing major version bumps from the same family of packages to be split up (and likely unmergable due to peer dependencies)