Disable dependabot and have bot update deps every week ?

[PVince81]

Our working pattern so far in the last weeks was to ignore the huge list of dependabot PRs and rather do a single "update deps" pull request every week. This also aligns with our weekly (beta) releases.

I find the long list of dependabot PRs to be noisy and we could disable dependabot altogether, with the condition that we are able to setup a process that automatically updates all libs at once. It seems dependabot is not yet able to do that: https://github.com/dependabot/feedback/issues/5

The exception would be for security updates. Still, we have snyk already and Github warnings for security, in which cases we can also take care.

Thoughts ? @DeepDiver1975 @LukasHirt

[LukasHirt]

Could be also helpful for drone, couldn't it? Lately it was kind of slow with him and I guess if we drop all those dependabot PRs that are running there as well could be at least a little bit beneficial.

[DeepDiver1975]

we could move to a weekly mode for checking the deps and submitting PRs.
But if we do not take care of deps updates for2 weeks the situation will be the same ... 🤷‍♂️

[PVince81]

@tboerger would you see this as a quick thing or is this more involved ? (not asking you to do it, just to get an idea in case we decide to do this ourselves)

the bot would need to yarn upgrade-all then submit a PR with the changes, once a week or so.

not sure yet what to do if such PR already exists from the past week

[tboerger]

It should be possible to build such a pipeline within drone, there are plugins available to do git pushs and also to create pull requests. we could even add a script that just closes previous pull requests if it got some kind of indicator like a specific label.

This pipeline could be triggered by the builtin cron to something like weekly.

[DeepDiver1975]

with dependabot being aquired by github and slowly getting integrated into github itself I think this all just a matter of time.
Furthermore: once we are in a more decent project flow - there is more time to properly take care of dependencies ... ;-)