[
https://issues.apache.org/jira/browse/HDDS-9171?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17807448#comment-17807448
]
Ethan Rose commented on HDDS-9171:
----------------------------------
{quote}Thus, I think only a single Recon dependency PR should be open at the
same time. If it is still open when dependabot notices another potential
version bump, it should be updated, instead of creating a new PR. If that's not
possible with current dependabot automation, we should turn it off.
{quote}
Would this be one PR open at a time per dependency, or one PR for one
dependency that must be merged before another PR for a different dependency is
filed? Either way I think we should look to reduce the frequency of dependabot
PRs. I think part of the problem with reviews is that people are not sure what
process to follow to verify that the change does not introduce problems. Maybe
if we could define a reusable test plan for dependabot PRs we could merge them
sooner.
{quote}We can still rely on dependabot security alerts and create PRs manually.
{quote}
This is not a bad approach either.
> Resolve dependabot build issues when updating npm packages
> ----------------------------------------------------------
>
> Key: HDDS-9171
> URL: https://issues.apache.org/jira/browse/HDDS-9171
> Project: Apache Ozone
> Issue Type: Improvement
> Reporter: Ethan Rose
> Assignee: Abhishek Pal
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.4.0
>
>
> Dependabot has been enabled for the Ozone repository, but its builds are
> failing since it is only updating the lock file. This jira is to update
> .github/dependabot.yml so that the PRs are filed correctly. Example:
> https://github.com/apache/ozone/pull/5143
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
