- Регистрация
- 09.02.2010
- Сообщения
- 270
- Реакции
- 41
- Баллы
- 28
- Native language | Родной язык
- English
When the next Log4j lands, you don’t want to find out that you’re several versions behind, and that it’s going to take the team days to fix all of the breaking changes. Dependabot version updates automate the patching process, giving you a measure of protection from unwelcome surprises.
But just as with any inbox, the sheer volume of available updates can quickly swell into a management hassle. And given that some types of related dependencies must be updated together–such as with
Today’s general availability release is all about making it easier to stay on top of version updates and prevent breaking changes. Previously, Dependabot would open individual pull requests for each update, adding overhead to a developer’s workflow and raising the possibility that related dependencies could fall out of sync. Now, you can specify groups of dependencies to update with a single pull request. Grouped version updates confer significant benefits to your development process: simplified dependency management, a reduced risk of breaking changes, and an opportunity to phase out third-party tools and manual workarounds.
To take control of how Dependabot structures its pull requests, you can define groups of dependencies that will be updated together using
When you first configure a group, specify a group name that will display in pull request titles and branch names. Then, define other options to include or exclude specific dependencies from the group.
You can also exclude dependencies from groups to always manage their updates individually:
Bear in mind that you can only create
Example 1: Group by
In this example, “production” and “development” dependencies are grouped together, excluding those that match the pattern “rubocop*”:
Example 2: Group by
In this example, a group named
Example 3: Group by
People with permissions for a repository can configure Dependabot groups for that repository.
The post
But just as with any inbox, the sheer volume of available updates can quickly swell into a management hassle. And given that some types of related dependencies must be updated together–such as with
You do not have permission to view link please Вход or Регистрация
,
You do not have permission to view link please Вход or Регистрация
, and
You do not have permission to view link please Вход or Регистрация
–it’s all too easy to put off these tasks until it’s too late.Today’s general availability release is all about making it easier to stay on top of version updates and prevent breaking changes. Previously, Dependabot would open individual pull requests for each update, adding overhead to a developer’s workflow and raising the possibility that related dependencies could fall out of sync. Now, you can specify groups of dependencies to update with a single pull request. Grouped version updates confer significant benefits to your development process: simplified dependency management, a reduced risk of breaking changes, and an opportunity to phase out third-party tools and manual workarounds.
- Nick Gibson, Causeway Capital ManagementI’ve been testing the grouped Dependabot updates and just wanted to say it is awesome! Grouping functionality and configuration are exactly what we want.
How it works
To take control of how Dependabot structures its pull requests, you can define groups of dependencies that will be updated together using
groups
in dependabot.yml
. For example, you can configure groups that update many dependencies at once, or groups that minimize the risk of breaking changes.When you first configure a group, specify a group name that will display in pull request titles and branch names. Then, define other options to include or exclude specific dependencies from the group.
dependency-type
: specify a dependency type to be included in the group. dependency-type can bedevelopment
orproduction.
patterns
: define strings of characters that match with a dependency name (or multiple dependency names) to include those dependencies in the group.update-type
: specify the update type based on semantic versioning (for instance, where 1.2.3 equates to major.minor.patch) to include all updates of the same level in the same group.
You can also exclude dependencies from groups to always manage their updates individually:
exclude-patterns
: define strings of characters that match with a dependency name to exclude them from a group. For these dependencies, Dependabot will continue to raise single pull requests to update the dependency to its latest version.
Bear in mind that you can only create
groups
for version updates.Example 1: Group by dependency-type
In this example, “production” and “development” dependencies are grouped together, excluding those that match the pattern “rubocop*”:
Код:
# `dependabot.yml` file using the `dependency-type` option to group updates
# in conjunction with `patterns` and `exclude-patterns`.
groups:
production-dependencies:
dependency-type: "production"
development-dependencies:
dependency-type: "development"
exclude-patterns:
- "rubocop*"
rubocop:
patterns:
- "rubocop*"
Example 2: Group by patterns
In this example, a group named
dev-dependencies
will update dependencies in the bundler ecosystem at a weekly interval:
Код:
# `dependabot.yml` file with customized bundler configuration
# In this example, the name of the group is `dev-dependencies`, and
# only the `patterns` and `exclude-patterns` options are used.
version: 2
updates:
# Keep bundler dependencies up to date
- package-ecosystem: "bundler"
directory: "/"
schedule:
interval: "weekly"
# Create a group of dependencies to be updated together in one pull request
groups:
# Specify a name for the group, which will be used in pull request titles
# and branch names
dev-dependencies:
# Define patterns to include dependencies in the group (based on
# dependency name)
patterns:
- "rubocop" # A single dependency name
- "rspec*" # A wildcard string that matches multiple dependency names
- "*" # A wildcard that matches all dependencies in the package
# ecosystem. Note: using "*" may open a large pull request
# Define patterns to exclude dependencies from the group (based on
# dependency name)
exclude-patterns:
- "gc_ruboconfig"
- "gocardless-*"
Example 3: Group by update-type
Код:
groups:
angular:
patterns:
- "@angular*"
update-types:
- "minor"
- "patch"
ignore:
- dependency-name: "@angular*"
update-types: ["version-update:semver-major"]
Who can use this feature
People with permissions for a repository can configure Dependabot groups for that repository.
Learn more about grouped updates
-
You do not have permission to view link please Вход or Регистрация
-
You do not have permission to view link please Вход or Регистрация
-
You do not have permission to view link please Вход or Регистрация
The post
You do not have permission to view link please Вход or Регистрация
appeared first on
You do not have permission to view link please Вход or Регистрация
.