mirror of
https://github.com/prometheus/prometheus.git
synced 2025-08-05 05:37:10 +02:00
475092ff79
This is just IMO, but getting my inbox flooded every month with hundreds of dependabot PRs is annoying, even if I don't end up handling most of them myself (thanks to others who do!). And then philosophically, I don't know if this is even the right approach. I don't think that whoever merges these PRs actually has the capacity or the knowledge to check that everything is still working as expected. Often subtle things can break after package updates, like a class name from an npm package not fitting to a style definition in our code anymore (as happened once with e.g. codemirror in the past, and nobody noticed when merging, and that bug is still present in Thanos' port of our UI). And you can't look in detail at the UI for every little PR that dependabot sends. Node module dependencies are inherently very noisy because there are so many of them, but I think a better approach would be to update them maybe once or twice a year (or whenever really needed), with all deps updated together, at a time when a maintainer has the time to really look at things carefully, and then do a comprehensive manual check of the UI to see that everything is still behaving as before. Signed-off-by: Julius Volz <julius.volz@gmail.com>
28 lines
595 B
YAML
28 lines
595 B
YAML
version: 2
|
|
updates:
|
|
- package-ecosystem: "docker"
|
|
directory: "/"
|
|
schedule:
|
|
interval: "monthly"
|
|
- package-ecosystem: "github-actions"
|
|
directories:
|
|
- "/"
|
|
- "/scripts"
|
|
schedule:
|
|
interval: "monthly"
|
|
- package-ecosystem: "gomod"
|
|
directories:
|
|
- "/"
|
|
- "/documentation/examples/remote_storage"
|
|
- "/internal/tools"
|
|
schedule:
|
|
interval: "monthly"
|
|
groups:
|
|
k8s.io:
|
|
patterns:
|
|
- "k8s.io/*"
|
|
go.opentelemetry.io:
|
|
patterns:
|
|
- "go.opentelemetry.io/*"
|
|
open-pull-requests-limit: 20
|