Enable GitHub Dependabot #21197
Enable GitHub Dependabot #21197
Conversation
| - dependency-name: NetTopologySuite* | ||
| - dependency-name: Newtonsoft.Json | ||
| - dependency-name: SQLitePCLRaw* | ||
| ignore: |
There was a problem hiding this comment.
Surprised an ignore list is needed when there's no overlap w/ the allow list. Is this due to another Dependabot restriction or oddity❔
There was a problem hiding this comment.
Not needed. Just here to remind us they're not being updated. (and why)
| @@ -2,7 +2,7 @@ | |||
| <Import Project="..\Directory.Build.props" /> | |||
|
|
|||
| <ItemGroup> | |||
| <PackageReference Include="BenchmarkDotNet" Version="$(BenchmarkDotNetVersion)" /> | |||
| <PackageReference Include="BenchmarkDotNet" Version="0.12.0" /> | |||
There was a problem hiding this comment.
Why do the ignored dependencies need to have their versions inlined too❔
There was a problem hiding this comment.
We may want to automatically update them in the future. And, IMHO, the only value of Versions.props is so Maestro can update it.
|
Forgot to ask: The Dependabot security alerts work fine with all of the versions in eng/Versions.props. Did you find the need to inline the versions documented somewhere or through experimentation? |
|
Through experimentation. I tried a few other patterns but the Dependabot jobs kept failing. I can't remember the exact error. I'm happy to tweak this if we want to standardize. |
The NuGet/MSBuild support is pretty primitive and requires us to inline versions.
This is enough to start getting PRs from Dependabot. We can iterate on the configuration as we go.
Once merged, you can view the logs and manually trigger checks using this page.
I've tested this on my fork.