You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now does Dependabot only offer a updates[].target-branch setting that according to the docs is using the specified branch as both the source and final target branch for a PR.
This setup has its flaws, which can be most prominent when you have a repository with multiple modules that each have their own package management (i.e. a multi-module Maven project).
When dependabot now finds an update in a dependency, and this dependency is used across multiple modules, will it make separate PRs for each of those modules.
While this isn't as much of a problem, will it become one if the dependency bump is a breaking change and you have a CI set up that builds of the same target branch as configured in Dependabot.
Merging those PRs into the target branch can (and probably will) now create failed builds as one module has the bumped version, while the others don't.
I'll give a quick example with a list of events:
Setup
Repository Example 4 modules using Maven.
3 modules use the dependency com.example:Example which is on version 1.2.3
A CI is set up to build new jars using the main branch
Dependabot is configured to use main as target-branch for all modules.
Dependabot detects that com.example:Example has a new version 2.0.0 (Changelog mention breaking changes)
Dependabot creates 3 Pull requests to bump the version for each module using the dependency.
1st PR is merged: CI returns failure because the 2nd and 3rd module still use the old version.
2nd PR is merged: CI returns failure because the 3rd module still uses the old version.
3rd PR is merged: CI returns success.
From this example alone, which is based on one of my own repositories, can you see that the CI would report 2 failed builds because of the PRs all targeting the main branch and the PRs being separate.
While I can see the option of having all bumps for a particular package ecosystem being in the same PR do I feel like keeping them separate is a good idea, especially if for some reason the bump of the dependency in one module isn't wanted (Can also be used for actions that trigger on labels or for particular pushes to certain modules).
Also, you could obviously just have a separate branch for dependency updates that gets merged back into the main branch regularly, but I feel like this is a bit more effort than needed, because you would also need to constantly sync it with main again.
Having a setting to define one branch to check and another one to PR changes towards would be a good idea, as it could also allow you to tweak a few things (i.e. update code that would no longer work with the new version) before merging it back into the main branch to build.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Right now does Dependabot only offer a
updates[].target-branch
setting that according to the docs is using the specified branch as both the source and final target branch for a PR.This setup has its flaws, which can be most prominent when you have a repository with multiple modules that each have their own package management (i.e. a multi-module Maven project).
When dependabot now finds an update in a dependency, and this dependency is used across multiple modules, will it make separate PRs for each of those modules.
While this isn't as much of a problem, will it become one if the dependency bump is a breaking change and you have a CI set up that builds of the same target branch as configured in Dependabot.
Merging those PRs into the target branch can (and probably will) now create failed builds as one module has the bumped version, while the others don't.
I'll give a quick example with a list of events:
Example
4 modules using Maven.com.example:Example
which is on version1.2.3
main
branchmain
as target-branch for all modules.com.example:Example
has a new version2.0.0
(Changelog mention breaking changes)From this example alone, which is based on one of my own repositories, can you see that the CI would report 2 failed builds because of the PRs all targeting the main branch and the PRs being separate.
While I can see the option of having all bumps for a particular package ecosystem being in the same PR do I feel like keeping them separate is a good idea, especially if for some reason the bump of the dependency in one module isn't wanted (Can also be used for actions that trigger on labels or for particular pushes to certain modules).
Also, you could obviously just have a separate branch for dependency updates that gets merged back into the main branch regularly, but I feel like this is a bit more effort than needed, because you would also need to constantly sync it with main again.
Having a setting to define one branch to check and another one to PR changes towards would be a good idea, as it could also allow you to tweak a few things (i.e. update code that would no longer work with the new version) before merging it back into the main branch to build.
Beta Was this translation helpful? Give feedback.
All reactions