|
|
|
|
|
|
by geoffharcourt
1407 days ago
|
|
|
I've been using Depfu for a while and I think it handles some of the biggest pain points with Dependency spam. - Package releases don't get PRs in their first 24 hours unless they are for security issues, so you don't get noise if there's a yank or a quick patch for a bug in the latest release - You can set development (or production!) packages to only update once a week - Packages that are known to have a very frequent release cadence (AWS SDK subcomponents, looking at you)_get pushed to a much slower PR pace so that you only update them 2x/month, etc. - This might be fixed now, but it had much nicer auto-merge behavior for releases that passed CI. - With Yarn, it can run `yarn-deduplicate` after updates to trim down shared dependency bloat. FWIW we still use Dependabot for security patches only because they seem to get picked up a few hours earlier. We also have much tighter lock rules on some JS packages which seem to make breaking changes on patch/minor releases. |
|
|