Switch to dependabot about community HOT 9 CLOSED

Sure. I have deleted all the level org repos in the Snyk interface one by one, I hope it has clean all the webhooks.

Please let me know if there's any tasks that need to be done additionally.

from community.

Dependabot wins. For 3 reasons: the commands, more context on PRs (lists both changelog and commits) and it's faster. Compare Level/level#185 and Level/level-js#199: same dependency, but renovate's PR was delayed by a full month. That said, for the record, dependabot has an unfair advantage and I dislike the vendor lock-in.

from community.

Ah. @huan the github audit log shows that you added Snyk?

from community.

Yes, it caused by my operation with a mistake.

Today I'm trying to migrate my projects from greenkeeper to Snyk, however, the Synk checks all repositories that I have privileges to manage with a not very clear interface, and after I click the next button, it start migrating all of them.

from community.

@huan Alright, that's unfortunate. Thanks for checking in.

In the Snyk interface, can you find an easy way to remove repos or an entire github org? If not, I'll remove all the webhooks manually via GitHub.

from community.

I'm also gonna give Renovate a try, because it seems Dependabot doesn't run tests on in-range dependency updates, like Greenkeeper did.

from community.

Same story with Renovate, sadly. There are three bad options:

1. Use rangeStrategy: replace. This will open a PR if a new version (e.g. 2.0.0) falls outside the current range (e.g. ^1.0.0). There'll be no tests on in-range updates.
2. Use rangeStrategy: bump. This will open a PR for any new version. Too noisy. Plus, to allow deduping of dependencies (app-wide) I prefer loose lower bounds on ranges (e.g. ^1.0.0 rather than ^1.6.2 unless that specific version is actually the minimum).
3. Use lockFileMaintenance. Same effect as (2) but Renovate won't touch package.json. My hatred of lockfiles aside, it's just as noisy as (2). Noise can be reduced by using a schedule, but that misses the goal of getting realtime notifications on breaking in-range updates.

Going with option 1 for now, because it's the least noisy. And greenkeeper's behavior of testing in-range updates did also result in noise, e.g. due to CI failures.

from community.

As for Dependabot vs Renovate, I like the commands you can give to Dependabot on PRs, especially squash and merge which waits for status checks to pass. This means, once you get a notification from GitHub, you don't have to wait and come back to the PR later. Renovate on the other hand is more configurable, and has the great option to only open PRs once status checks pass.

from community.

Configured all repo's except for Level/leveljs.org#50.

from community.