On Sat, Apr 1, 2023 at 5:04 AM Oscar Benjamin <[email protected]> wrote: > > On Sat, 1 Apr 2023 at 06:36, Aaron Meurer <[email protected]> wrote: > > > > On Fri, Mar 31, 2023 at 10:33 PM Jason Moore <[email protected]> wrote: > > > > > > When the # of dependencies is large, dependabot is a very annoying > > > feature. I contributed to a Javascript lib and the dependabot floods your > > > inbox and notifications with useless PRs. It may be ok for us, since it > > > is only checking a handful of dependencies and those don't change too > > > often. > > > > We actually have quite a few, assuming we were to pin all of them > > > > https://github.com/sympy/sympy/blob/master/.github/workflows/runtests.yml#L201-L203 > > (there's a few others in this file too, search for "install") > > https://github.com/sympy/sympy/blob/master/doc/requirements.txt > > > > I don't know if there's a tool that lets you easily see how often > > these are updated but my guess would be 1-5 updates a week. > > Yes, but we could set dependabot to just run once a month. We would > get a small flurry of updates. Most could just get immediately merged. > > What would be nie is if there was an alternative to dependabot that > could batch all the different dependency updates into a single PR or > perhaps a PR for say all doc dependencies so that you know that to > review you just need to check the docs build.
It seems that you can configure some of these things: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#open-pull-requests-limit https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#scheduleinterval Although it doesn't seem like it can do the thing you suggest where it just opens one PR then pushes new stuff to that same PR. Aaron Meurer > > This tool can be used to update a whole requirements.txt file in one go: > https://pypi.org/project/pip-upgrader/ > > It could probably be configured to run say once a month and open a PR. > I think that making a full bot to do this is a bunch of work though so > it is better if there is a ready made action that we can use. > > My suggestion is just that we try using dependabot for some things and > see how it pans out. > > -- > Oscar > > -- > You received this message because you are subscribed to the Google Groups > "sympy" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/sympy/CAHVvXxQS-fNsxeQVsKkMvv3PjFC7f5z2W7z%2BYX20x_ZSsCd_oA%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "sympy" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/sympy/CAKgW%3D6JbZ3NpJbP4c9bw66q9vCKA_Xs6mZvuBjOFfpbHbrd7rw%40mail.gmail.com.
