Re: [dev-servo] Should we use Dependabot?

Mon, 04 May 2020 09:53:46 -0700

In my experience, Taskcluster returns results within 30 minutes of the PR opening, so all I need to do is check the in-PR results for a green checkmark. If it's there, it's easy enough to merge. If it's red, it sometimes means I need to file an issue like https://github.com/servo/mozangle/issues/38 or https://gitlab.freedesktop.org/gstreamer/gstreamer-rs/-/issues/251; in any case, dependabot PRs that require code changes or de-duplication can be closed without incurring extra work. 

Cheers,
Josh

On 2020-05-01 11:08 a.m., Alan Jeffrey wrote:

The problem I'm having with dependabot is that it opens PRs for upgrades
that won't pass CI without a lot of work, e.g. upgrading winit (
https://github.com/servo/servo/pull/26256), and as a result I treat emails
I get for dependabot PRs as quite likely to involve wasted effort.

The situation would be much better if we could somehow get the emails to be
issued only if the PR passes the initial taskcluster build in CI. For
example, if dependabot opened a draft PR, and only made it a full PR if the
initial CI run succeeds? (And if we don't assign a reviewer to draft PRs.)

Alan.

On Sat, Apr 25, 2020 at 3:19 AM Bastien Orivel <eijeb...@bananium.fr> wrote:


Hi,


I have a few questions that I'm interested in hearing feedback on:
* should we use Dependabot at all?


I personally don't think we should use Dependabot.

Looking at the current PRs it made, the `time` one I'm 99% sure needs
code changes and would introduce a duplicate. The `keyboard-types` one
is probably wrong, would introduce a dupe in a crate used for sharing
types across crates (would probably not compile). The `image` one would
dupe png. The `cc` and `smallvec` ones break the build. The `winit` one
doesn't build, would bring in more dupes.


* is our policy to ban duplicate versions by default still useful?


Yes. Servo's dependency graph is huge already, let's not make it worse
by having 3 versions of the same dependency for every dependency.


* what changes should we make to the policy to accommodate the use of
Dependabot?


If it opened issues on semver breaking changes and maybe pinged people
that like updating dependencies the it might be better. Some of those
might even be good first issues like the time one if we can provide
examples of similar bumps.

Regards,
Bastien
_______________________________________________
dev-servo mailing list
dev-servo@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-servo



_______________________________________________
dev-servo mailing list
dev-servo@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-servo

Reply via email to