+1 I really like that there is automation to help us update the deps. If the PR from dependabot passes CI, we can just merge. Otherwise we will file an issue.
On Fri, Jul 26, 2019 at 11:38 AM David Davis <davidda...@redhat.com> wrote: > Recently, Pulp 3 package installs were broken by a new version of DRF > which necessitated a new release of pulpcore (RC4)[0]. Our releases are > fragile and unstable because they don't pin versions of dependencies. > > I was thinking of a new strategy whereby we pin pulpcore's dependencies to > specific versions (either y or z releases) and we use something like > dependabot[1] to notify us of new updates for pulpcore dependencies. It > looks like it'll open new PRs when it detects a dependency is out of date. > > The one downside I do see is that dependabot PRs could be ignored. > However, I think the stability of our releases outweighs this potential > risk especially as we get closer to GA. > > Thoughts? > > [0] https://www.redhat.com/archives/pulp-dev/2019-July/msg00076.html > [1] https://dependabot.com/ > > David > _______________________________________________ > Pulp-dev mailing list > Pulp-dev@redhat.com > https://www.redhat.com/mailman/listinfo/pulp-dev >
_______________________________________________ Pulp-dev mailing list Pulp-dev@redhat.com https://www.redhat.com/mailman/listinfo/pulp-dev
