Disabling Scheduled Dependency Updates | David Lord
I maintain a lot of libraries on GitHub. I'd guess about 20 that I'm actively watching, and access to another 20 that I can help with if pinged. Many of them are stable, low activity projects. They might get an occasional bug fix or new feature, but are mostly quiet. Scheduled dependency updates have overwhelmed that tranquility. I've now disabled scheduled updates, replacing them with a local update command.
Pinning development dependencies for these projects ensures that everyone has the same development environment, and that updates and issues can be addressed rather than coming as a surprise at an inopportune moment. But you do want to update those dependencies so you continue working with maintained versions. Enter scheduled updates.
We have three ecosystems that we pin: Python requirements files with pip-compile, pre-commit hooks, and GitHub Actions in CI workflows. All three have services to create monthly update PRs. Dependabot can be configured to create one PR per ecosystem, one for Python and one for Actions. And pre-commit.ci will create a PR for all hooks.
Three PRs per project per month is really noisy. I dread the first of each month, when I wake up to approximately 60 PR notifications (3 ecosystems * 20 watched projects). Other people, such as occasional contributors, watch the projects as well. All these notifications that are irrelevant to them make it less likely they'll pay attention to the notifications that they could help with.
