Hi everyone,
Today I want to write about @dependabot, Github's automatic dependency bot updater that will keep your project dependencies up to dat...
For further actions, you may consider blocking this person and/or reporting abuse
I like this automation of version bumps but I'd really like to have it update the top-level dependant. In most cases the vulnerable packages are not the ones in the top level but x-levels deep. However, at the time the fixes are available through the bots, they are often fixed in the top level dependencies so ultimately I will update them anyway next time. Has anyone experience with configuring a bot to behave in this way?
Okay I just realized, that's actually exactly what Greenkeeper or david-dm do :-)
I had similar experience with my jekyll theme with gem versions
Thanks @ryanwestlund for sharing your opinion on @dependabot. What has impressed you the most regarding @dependabot?
The automation? the muli language support?
Interesting @rob I haven't pushed the PR yet.
Thanks for the explanation and your experience with @dependabot.