Assessment disabling Dependabot PRs for certain dependency clusters

We currently have a bunch of hanging CHT-Core Dependabot PRs that keep popping up that we cannot merge: for the wdio cluster of dependencies and angular cluster of dependencies.

For wdio, we know there was a significant effort last year, that identified some serious blockers. So updating automatically is out of the question.
The same applies for angular, as it’s a major angular release (from v.18 to v.19) that, I believe, requires a bit more effort than a lazy Dependabot PR.

I see some options:

  1. don’t change anything and leave those dependabot PRs hanging. I believe this is confusing for anyone who sees the CHT-Core PR page. I prefer that active work is stored in PRs, not dead code that nobody intends to merge.
  2. aggressively close unmergeable dependabot PRs - partial solution because dependabot will create a new one in the new “cycle”
  3. actively work on both these issues and merge our code instead and close dependabot PRs
  4. disable dependabot PRs and rely on human effort and check for updates for these dependencies.

I believe it’s acceptable to manually delete a few PRs from time to time, but not as a permanent solution.

Appreciate your feedback :slight_smile:

1 Like

After more consideration. I am going to reverse my previous position on this. My new opinion is that we should go with #3. We definitely need to remain up to date with things like Angular and wido. I cannot come up with any benefit we would gain from not addressing these updates as they become available. Adding these kinds of thing to the “backlog” is pretty much the same as not doing them. If we wait until we are forced to upgrade it will almost certainly be causing more work in the long term.

The only exception would be cases where we are hard-blocked from an upgrade because of existing issues/projects (e.g. pouch, eslint, etc). In these cases, I think we should disable dependabot updates until the blocking issue is resolved.

With all this in mind, I have assigned myself to the open angular PR and will work to get it building/reviewed/merged.

1 Like

Thank you @jkuester for your feedback and for volunteering your time with the Angular upgrade.

1 Like