You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This has lead to 6 patch releases within 2.5 months, without any substantial changes.
The problem with that is that dependabot then also creates automated PRs in all repos that depend on create-github-app-token. As a reviewed of such PRs, I feel like this is a waste of human attention. Especially because patch releases could also contain fixes for security vulnerabilities, so I can't just ignore such PRs.
Suggestion
Automated releases should only happen if there's any substantial updates included, which dependency updates are not.
The text was updated successfully, but these errors were encountered:
Especially because patch releases could also contain fixes for security vulnerabilities, so I can't just ignore such PRs.
Exactly.
Automated releases should only happen if there's any substantial updates included, which dependency updates are not.
Unless there are security updates. Which is not always easy to tell. You can configure the frequency of how often you want to receive updates from dependabot based on your preferences. We follow best practices by making sure our software is safe and uses the latest versions of its dependencies
Also you should be able to just use actions/create-github-app-token@v1 and disable all updates except for breaking changes, and you will automatically get the latest version, that's whey wi do have the vX release branches.
The new v1.11.x series of patch releases seems to be almost fully automated:
This has lead to 6 patch releases within 2.5 months, without any substantial changes.
The problem with that is that dependabot then also creates automated PRs in all repos that depend on create-github-app-token. As a reviewed of such PRs, I feel like this is a waste of human attention. Especially because patch releases could also contain fixes for security vulnerabilities, so I can't just ignore such PRs.
Suggestion
Automated releases should only happen if there's any substantial updates included, which dependency updates are not.
The text was updated successfully, but these errors were encountered: