weixin_39819393 2020-11-29 10:38 采纳率: 0%
浏览 0

More sophisticated detection of whether a codebase is a library or an app

From on December 11, 2017 20:4

We've been testing out dependabot and greenkeeper simultaneously on some simple open-source repos. Dependabot's compat scores and full integration with yarn lockfiles, without needing a secondary run of a script, means we can use --frozen-lockfile, so we'd like to switch to dependabot alone, but its handling of semver is confusing me.

We have a dev dependency to eslint-plugin-flowtype which was updated twice in the last day. We got 2 PRs (because we bumped manually, not a bug) - https://github.com/holvonix-open/json2array/pull/2 - https://github.com/holvonix-open/json2array/pull/4

We had a caret dependency of ^2.39.1 which was then updated to ^2.40.0 and then ^2.40.1 by dependabot (greenkeeper did not do this, presumably because it uses semver and the later 2 are compatible with ^2.39.1). Is this intentional on dependabot's part, or a bug? Why not, for example, just update the yarn lockfile with the latest (compatible) version, and just change package.json when the semver is incompatible?

The second piece of feedback is the daily bumps; not so important, but changing it to alert immediately on package update would be nice to have.

Copied from original issue: dependabot/feedback#61

该提问来源于开源项目:dependabot/dependabot-core

  • 写回答

7条回答 默认 最新

  • weixin_39819393 2020-11-29 10:38
    关注

    Thanks for trying Dependabot!

    Hmmm, that behaviour is intentional but perhaps it's not what you'd expect in JavaScript. Basically, our thinking is that whilst the package.json update isn't required we're doing an update anyway and having the same version in your lockfile and package.json reduces the scope for confusion. (I've seen a couple of issues created where people think Dependabot has got their previous version wrong, because the version in the requirement in their package.json doesn't match the one in their lockfile.)

    Is there a reason you'd prefer us not to bump the package.json version? Perhaps one improvement on our side would be to put some text in the PR that mentions that the new version was covered by your previous requirement (even if we update it)?

    On moving from "daily" to "real-time", I totally agree - I'd love to offer that in the future, and it's definitely an extension we'll make at some point. Surprisingly you're the first customer that's brought it up, but I've always thought it would be a valuable option to have in the longer term.

    Really appreciate the feedback - we're always trying to improve Dependabot.

    评论

报告相同问题?