Comments (3)
Seems this issue and #178 have a lot in common. I'll close this one (if that's a mistake feel free to re-open it).
from dependabot-core.
Actually, this is probably a bad idea. This means we'll be able to add features added in 1.2.0
yet we still require ^1.0.0
, which may resolve to 1.1.0
if another dependency locks it. Ouch, food for thought...
from dependabot-core.
My hunch here is that libraries need something more than just Dependabot, and I'm not 100% sure how Dependabot should fit in.
Off the top of my head, the setup I think a great library should have is:
- comprehensive build matrix for each major version of its sub-dependencies (realistically this is likely to be one framework-like dependency) which tests again
- the lowest possible sub-version of each major version of the sub-dependency that's supported
- the highest version of the latest major version of the sub-dependency
- a process to trigger a new test-run each time a new version of a sub-dependency is released
I'm not aware of a solution to (1) for JavaScript - in Ruby it's generally done by not committing a lockfile and using either environment variables in the Gemfile
or using a tool like appraisal. I don't think this is something Dependabot can easily help with, at least in the short term.
I think the best way for Dependabot to support (2) is for us to work the same way that Greenkeeper does in the case when a lockfile isn't committed and the README (or some other tell) suggests that the repo is a library. That will require a few changes on our side, but I'm keen to get our library support perfect.
Cross-reference: dependabot/feedback#61.
(And this can stay closed - I'm super aware of this issue and it's covered in a couple of others!)
from dependabot-core.
Related Issues (20)
- Error when updating NuGet packages from Public and Private Feed HOT 8
- Dependabot sometimes only edits package-lock.json, not package.json
- Composer version constraints ignored
- Unhandled exception: No dotnet-tools.json files found HOT 1
- Support custom docker tag pattern and git tag in dependabot
- `dependabot-action` fails while trying to update an ignored dependency as part of security alerts
- Dependabot not finding all instances of package upgrades in .NET solution HOT 4
- Dependabot does not recognize SemVer v2 versions with build metadata
- Dependabot terraform - add support for updating required_version HOT 1
- Support bearer token authentication with private composer repository
- Wrong python version detection HOT 2
- Nuget from private ProGet feed: found dependencies to update but Package.csproj restore fails HOT 4
- NETSDK1083 error when using .NET 8
- Dependabot doesn't update dependency in `pyproject.toml` if it already satisfies the requirement
- Bundler updates pausing for 3-5m on each dependency update HOT 5
- Restore needs to be run before attempting to update `packages.config`
- Dependabot::Sorbet::Runtime::InformationalError: Parameter 'url': Expected type String, got type NilClass
- Says no update needed for private npm package even though new patch version available
- Some packages finish with unknown error, both self-hosted or public packages HOT 3
- Support auth.json for private composer repository
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dependabot-core.