Comments (10)
@kajatiger - love the idea of a dep rotation; looking at force for example, or Palette, or any of our other web areas its clear things are very much out of date in places. Having a rotation like that would also help devs get more involved with the tooling aspect of our codebases.
However! That part of this RFC should be a separate RFC just because its a significant process switch, and in regards to DepFu, there's a lot to talk about as we already have some competing dep managers in place.
Do you think you could break this into two RFCs?
from readme.
A lot of progress has been made to better surface the security information from Dependabot.
This Looker dashboard lists all the vulnerabilities by team and repository: link 🔒
This Notion document describes how we are using Dependabot: link 🔒
from readme.
Love the idea of a rotation and have heard good things about depfu.
from readme.
Does it cover languages other than Ruby?
If this RFC is accepted it might be good to outline a full migration path in the resolution
section, and loop in some repo maintainers to help things along.
from readme.
Depfu covers all Ruby, JS and Elixir projects.
from readme.
Can you clarify how you mean that Dependabot's not configurable? It seems similar in most respects.
I'm not married to Dependabot, but do see a lot of value in being consistent across repositories. I wouldn't want something as foundational as dependency management to vary without good reasons.
from readme.
Okay @damassi thanks for your suggestion. I split the RFCs in two now and it does make more sense to discuss things separately.
from readme.
Since renovate (in the repos it is active on) works, but I agree it can be hard to configure, I'd like to try depfu and see how it feels as well.
Eigen has renovate with a bunch of stuff disabled, which is not helping. I could add depfu on echo, which is much smaller, and help compare too. 🤔
from readme.
Cool! Definitely like the idea of having consistent, easy-to-understand dependency updates for all of Artsy's repos.
Something I think this RFC should cover: how much would Depfu cost for Artsy? And how much work would it take to set up and maintain?
from readme.
Thank you @icirellik ! I still find the dependabot config a bit counter intuitive and also from our configurations now it is conflicting with the other RFC about a rotating depency update routine. But I guess this can be discussed individually on a team level and repo level.
In order to gain some insight on how to configure dependabot there are documentations here: https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/customizing-dependency-updates
So sadly closing this RFC now.
Resolution
We decided to leave things as they are.
Level of Support
5: Unclear Resolution.
Additional Context:
Some people were in favor of it, but some people did not see the benefits of the change.
Next Steps
We will stick to dependabot.
Exceptions
None
from readme.
Related Issues (20)
- [RFC] Feedback Friday time reschedule HOT 2
- RFC: Catch more WTFs during onboarding HOT 2
- RFC: Protect main/master branches HOT 5
- RFC: We are all solely responsible for ensuring that we are not disturbed outside of working hours HOT 16
- RFC: Incrementally adopt I18n library in Rails projects HOT 11
- RFC: Adopt Codecov at Artsy, starting with Gravity HOT 8
- RFC: Adopt inclusive language for repository naming as well as allow/deny lists HOT 12
- RFC: Rename product slack channels to `prd-*` HOT 17
- RFC: Host one Hackathon per quarter in 2022 HOT 8
- RFC: Host one Codebase Refinement per quarter in 2022 HOT 11
- RFC: Officially recommend against using GraphQL Stitching in Gravity HOT 19
- RFC: Reusable components HOT 21
- RFC: Updating Best Practices Documentation HOT 10
- RFC: Retiring Torque HOT 1
- RFC: Feature Flags Naming Conventions / Maintenance HOT 14
- RFC: disallow squashing and rebasing on PRs HOT 17
- Want access of Web & Mobile best practices documentation
- RFC: More Relaxed CodePush Usage for Folio HOT 4
- RFC: Consolidate Eigen feature flags HOT 22
- RFC: Decommission Volt 2 and roll code back into Volt 1 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from readme.