Hacker News new | past | comments | ask | show | jobs | submit login

> which just ignore the PRs opened by Dependabot.

For JS Dependabot becomes a spammer, because there are just so many packages even in a "hello, world" project.

In one of my projects I just gave up and set up auto-approve/auto-merge on minor updates. This is what the commit history looks like: https://i.imgur.com/cC7h7T7.png And there are 20 more major ones waiting for resolution.

My hunch is that in many projects devs just on't have the capacity to deal with the deluge.




Keeping up with a node project is an impossible task, you would have to dedicate one full time developer just for doing upgrades. There are daily updates and a lot of them will just break your code due to the poor testing culture & lack of backward compatibility.


This is absolutely it. For JS we only use it for security fixes now on my team because it was creating too much work otherwise. My personal blog is Gatsby (a decision I now regret somewhat), and gets a couple of Dependabot PRs a day which is ridiculous.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: