On Sat, 1 Apr 2023 at 06:36, Aaron Meurer <[email protected]> wrote: > > On Fri, Mar 31, 2023 at 10:33 PM Jason Moore <[email protected]> wrote: > > > > When the # of dependencies is large, dependabot is a very annoying feature. > > I contributed to a Javascript lib and the dependabot floods your inbox and > > notifications with useless PRs. It may be ok for us, since it is only > > checking a handful of dependencies and those don't change too often. > > We actually have quite a few, assuming we were to pin all of them > > https://github.com/sympy/sympy/blob/master/.github/workflows/runtests.yml#L201-L203 > (there's a few others in this file too, search for "install") > https://github.com/sympy/sympy/blob/master/doc/requirements.txt > > I don't know if there's a tool that lets you easily see how often > these are updated but my guess would be 1-5 updates a week.
Yes, but we could set dependabot to just run once a month. We would get a small flurry of updates. Most could just get immediately merged. What would be nie is if there was an alternative to dependabot that could batch all the different dependency updates into a single PR or perhaps a PR for say all doc dependencies so that you know that to review you just need to check the docs build. This tool can be used to update a whole requirements.txt file in one go: https://pypi.org/project/pip-upgrader/ It could probably be configured to run say once a month and open a PR. I think that making a full bot to do this is a bunch of work though so it is better if there is a ready made action that we can use. My suggestion is just that we try using dependabot for some things and see how it pans out. -- Oscar -- You received this message because you are subscribed to the Google Groups "sympy" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/sympy/CAHVvXxQS-fNsxeQVsKkMvv3PjFC7f5z2W7z%2BYX20x_ZSsCd_oA%40mail.gmail.com.
