Dependabot is GitHub's tool for automating dependency updates. It's great! But it can be a little noisy. Here are some tips for making it a little less so.
Grouping
Ever had Dependabot create seven PRs for the same dependency update? If you're working with dependencies like Storybook, you probably have. To make it a little smarter, we can tell it to group certain dependencies. The groups
keyword lets us create a new group and specify by a pattern which dependencies should be grouped together.
version: 2
updates:
- package-ecosystem: npm
directory: /
schedule:
interval: daily
groups:
storybook:
patterns:
- "@storybook/*"
- storybook
By doing this, all dependencies that match the regexes will be grouped together in one PR and we no longer get a load of different PRs every week when SB creates a new patch version (no critique of SB here, it's just a very active project!).
Other groups could be angular
, eslint
, react
, and @typescript-eslint
.
Ignoring patch updates
For projects that are moved to maintenance, it's sometimes nice to turn off patch updates, especially if maintenance only happens every couple of weeks. This can be done by adding the following to the Dependabot config:
ignore:
- dependency-name: '\*'
update-types: ["version-update:semver-patch"]
That will ignore all patch updates for all dependencies. If you want to ignore patch updates for a specific dependency, you can do that too:
ignore:
- dependency-name: storybook
update-types: ["version-update:semver-patch"]
Cover image by Xavier von Erlach on Unsplash
Top comments (0)