Possibly a a daft question, sorry…
I’m setting up Dependabot to help maintain an addon. I am trying to decide which dependencies I should ignore.
There are some obvious ones like
ember-source. But what about
eslint-config-airbnb-base, as one example? Should Dependabot ignore this package and only update when Ember does? Will Ember update it - does it maintain linting tools or does it leave that to each developer’s preference once the initial install is complete?
As I’ve been looking at examples of Dependabot configs in other Ember projects, I’ve seen many in the Ember community using Renovatebot instead. Does anyone have experience of using that? How is it different from Dependabot (Github native) and is there an obvious reason for an Ember developer to choose one over the other?
I think this is a great question because it’s not always easy to tell. I can’t speak to renovate bot as I haven’t tried it yet.
I normally just generate a fresh addon/app blueprint and tell dependabot to ignore everything in the default blueprint package.json. Presumably that would all be updated by ember-cli-update. For example the default blueprint for a 3.28 app has these for lint:
(No mention of the airbnb one, not in the lockfile either)
That said there’s not necessarily anything wrong with letting it update everything, or most everything. If you trust your test suite it’s a good way to tell if new packages are working in your app and can probably help a lot with Ember upgrades as a lot of stuff will already be up to date. The downside is it gets very noisy hence why I usually let it update just stuff that’s not in the app/addon blueprints.
Thanks for the response, Dan. Looks like a colleague dropped airbnb in without me noticing.
I think I’ll follow your lead and only update things I’ve added.
I do the opposite and let RenovateBot update every dependency. This works very well since
config/ember-cli-update.js has been introduced. RenovateBot is responsible for keeping dependencies up-to-date. Ember CLI Update upgrades blueprint files.
The noise can be reduced by configuring RenovateBot to maintain the lock file automatically. RenovateBot can be configured to upgrade all dependencies within their configured range on a fixed schedule and automerge that if CI passes. Very handy.
I found that Ember upgrades are way less tricky if each package and blueprint files are upgraded separately. Splitting it up in several smaller pull requests make it much easier to trace down issues caused by the upgrade.
I can not speak much about Dependabot. But a main trade off, which I heard is the missing auto-merge feature.