Skip to content

Commit

Permalink
Configure Dependabot to update all RubyGems
Browse files Browse the repository at this point in the history 
By default Dependabot only monitors direct dependencies (those specified
in the Gemfile) for updates. It appears to use `bundle update
<dependency>` under the hood, which means that a Dependabot PR to update
<dependency> can also include updates to sub-dependencies. This makes it
harder to review because the PR will only include the Changelog of
<dependency> and not of the sub-dependencies.

My hope is that by configuring Dependabot to monitor direct and indirect
(sub) dependencies[1] we'll end up with more, smaller/easier to review,
PRs.

I think the same change[2] has been working reasonably well in Signon and
thought it was worth bringing authenticating-proxy into line.

[1]: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#allow
[2]: alphagov/signon#2382
  • Loading branch information
@chrisroos
chrisroos committed Nov 16, 2023
1 parent ff68bd9 commit e2c1fc1
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,5 @@ updates:
directory: /
schedule:
interval: daily
allow:
- dependency-type: "all"

0 comments on commit e2c1fc1

Please sign in to comment.