I like the idea of Dependabot. A to that actively tracks down dependency updates can be useful. Where I work, we have a daily CI job that creates a PR for each new dependency and runs a build in both our UI (JavaScript) and API (Python) projects. If the build passes, “Happy Days”, we can merge the PR, and the app is all the more secure and effective for it. What I’ve noticed in practice however, is that occasionally, this process will allow an upgrade to a dependency that will pass the automated build and test step, but introduce the wildest runtime error into the application. Usually at the time when we aim to deliver something. Dependency ‘spam’ is also a very real issue – https://news.ycombinator.com/item?id=27929596 – the daily deluge of often insignificant updates is a trudge to deal with, especially when coupled with the risk of these sly runtime errors. Dependabot is a great idea, but no-one appears to have anything bad, or practical, to say against it. But it does clearly have flaws. I don’t think I’d want to switch the bot off, but I would be interested in hearing how other people get on with the tool. Thanks. :]
Story Published at: August 12, 2022 at 10:47AM
Story Published at: August 12, 2022 at 10:47AM