Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SEC-3364] Remove Dependabot #883

Merged
merged 1 commit into from
Jan 11, 2023
Merged

[SEC-3364] Remove Dependabot #883

merged 1 commit into from
Jan 11, 2023

Conversation

TheBuggedYRN
Copy link
Contributor

@TheBuggedYRN TheBuggedYRN commented Jan 10, 2023
edited
Loading

Description of the change

We should disable Dependabot from running on our React Native repo since the dependency warnings it generates do not apply to the user’s app.

Dependabot alerts are not applied to the users’ apps for the following reasons:

  1. We do not have any actual dependencies in our SDK, just peer and dev dependencies, which do not get installed in the user apps.
  2. Supposedly we had a dependency in the future, the package manager will not respect the versions in our yarn.lock, since the dependency resolution will be done in the user’s app according to our package.json not yarn.lock. (*)

References:
(*): A comment by one of Yarn creators, explaining the dependency resolution in an app vs a library: yarnpkg/yarn#838 (comment)

Type of change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Related issues

Issue links go here

Checklists

Development

  • Lint rules pass locally
  • The code changed/added as part of this pull request has been covered with tests

Code review

  • This pull request has a descriptive title and information useful to a reviewer
  • Issue from task tracker has a link to this pull request

@TheBuggedYRN TheBuggedYRN self-assigned this Jan 10, 2023
@TheBuggedYRN TheBuggedYRN changed the title Remove Dependabot [SEC-3364] Remove Dependabot Jan 10, 2023
@TheBuggedYRN TheBuggedYRN merged commit 4423dc9 into dev Jan 11, 2023
@TheBuggedYRN TheBuggedYRN deleted the chore/remove-dependabot branch January 11, 2023 12:57
ymabdallah pushed a commit that referenced this pull request Feb 20, 2023
@TheBuggedYRN @ymabdallah
[SEC-3364] Remove Dependabot (#883)
51dd4a3 
Dependabot alerts are not applied to the users’ apps for the following reasons:
 1. We do not have any actual dependencies in our SDK, just peer and dev dependencies, which do not get installed in the user apps.
 2. Supposedly we had a dependency in the future, the package manager will not respect the versions in our yarn.lock, since the dependency resolution will be done in the user’s app according to our package.json not yarn.lock. (*)

References:
(*): A comment by one of Yarn creators, explaining the dependency resolution in an app vs a library: yarnpkg/yarn#838
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TheBuggedYRN TheBuggedYRN

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@TheBuggedYRN