Skip to content

chore(deps): pin dependencies#509

Closed
BrunoQuaresma wants to merge 2 commits intomainfrom
bq/chore-pin-dependencies
Closed

chore(deps): pin dependencies#509
BrunoQuaresma wants to merge 2 commits intomainfrom
bq/chore-pin-dependencies

Conversation

@BrunoQuaresma
Copy link
Contributor

@BrunoQuaresma BrunoQuaresma commented May 19, 2025

  • Pin dependencies
  • Only auto update minors using dependabot

@BrunoQuaresma BrunoQuaresma requested a review from a team May 19, 2025 16:34
@BrunoQuaresma BrunoQuaresma self-assigned this May 19, 2025
@BrunoQuaresma BrunoQuaresma requested review from jaaydenh and removed request for a team May 19, 2025 16:34
matifali
matifali reviewed May 19, 2025
View reviewed changes
package.json
"version": "1.9.0",
"engines": {
"vscode": "^1.73.0"
"vscode": "1.73.0"
Copy link
Member

@matifali matifali May 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if we should pin VS Code, as it is now on version 1.100. @code-asher can help us here.

Copy link
Member

@code-asher code-asher May 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah if we do this our extension will only run on VS Code 1.73.0.

matifali
matifali reviewed May 19, 2025
View reviewed changes
.github/dependabot.yml
- dependency-name: "@types/vscode"
- dependency-name: "*"
update-types:
- version-update:semver-major
Copy link
Member

@matifali matifali May 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we should also allow minor updates and reduce the frequency to once a month.

@code-asher
Copy link
Member

code-asher commented May 19, 2025
edited
Loading

Why do we need to remove the ^ if we are also adding config to dependabot to ignore major versions?

Edit: to elaborate, we could similarly configure dependabot to ignore minor versions instead of changing the package.json.

Although, I am not sure most packages will backport security fixes and the like, so unsure if we should actually do this. Will dependabot do a minor/major update even if we tell it not to, if the update is for security reasons?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matifali matifali matifali left review comments

@code-asher code-asher code-asher left review comments

@jaaydenh jaaydenh Awaiting requested review from jaaydenh jaaydenh was automatically assigned from coder/ts

Assignees

@BrunoQuaresma BrunoQuaresma

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BrunoQuaresma @code-asher @matifali