I think the version difference is not the main point and was a bad example. I
had bumped the version within minutes before that PR.
I don’t mind if Dependabot's service is on, but usually, I will rebuild the
file myself and skip the Dependabot PRs.
I find their PRs submission a little annoying. The service seems to submit a
couple of PRs, and then after mering in one, more (5-10) are created within
seconds.
I didn't want to deal with a chain of PRs and find it easier to submit a single
PR that bumped everything.
As far as I remember, their PRs only affect the package-lock.json file, which
is a developer-only file. It is not released within the final package to
end-users.
Keeping the service enabled could still be nice-to-have as the PRs provide
notices of updates. The PR also usualy contain the change logs of the
dependency.
As for accepting and merging the Dependabot PRs or creating our own, I don't
believe is something we need to worry too much about. I think however any
individual who wants to handle it is acceptable. And could be handled
case-by-case. If someone wants to sit there and go through the chain of PRs
that it submits, until their stop submitting PRs, that is fine too.
> On Jun 8, 2022, at 02:14, julio cesar sanchez wrote:
>
> In this case the package-lock was out of sync with the package.json (it had
> v6.x.x while package.json had 7.x.x), so if we have more packages with the
> same problem we should fix them.
>
> But if the package-lock is ok, then I think we can just merge the
> dependabot PRs, what’s the advantage of having it if we still send PRs
> manually to do the same?
>
>
> El martes, 7 de junio de 2022, Norman Breau
> escribió:
>
>>
>> Hi Team,
>>
>> Just curious on other thoughts on Dependabot now that Apache enabled them
>> across the repos. Do we review and merge them as is? Should we build PRs
>> like https://github.com/apache/cordova-js/pull/255 to regenerate
>> package-lock which will result in dependent bot to close their PRs.
>> Case-by-case basis?
>>
>> Personally I think I favour the manual PR approach as it will squash
>> several dependent PRs into one, and dependabot is smart enough to notice
>> when their PR is out-dated.
>>
>> Cheers,
>> Norman
>>
>>
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
>> For additional commands, e-mail: dev-h...@cordova.apache.org
>>
>>
-
To unsubscribe, e-mail: dev-unsubscr...@cordova.apache.org
For additional commands, e-mail: dev-h...@cordova.apache.org
