Skip to content

chore(deps): pin dependencies #509

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

chore(deps): pin dependencies #509

wants to merge 2 commits into from

Conversation

BrunoQuaresma
Copy link
Contributor

  • Pin dependencies
  • Only auto update minors using dependabot

@BrunoQuaresma BrunoQuaresma requested a review from a team May 19, 2025 16:34
@BrunoQuaresma BrunoQuaresma self-assigned this May 19, 2025
@BrunoQuaresma BrunoQuaresma requested review from jaaydenh and removed request for a team May 19, 2025 16:34
matifali
matifali reviewed May 19, 2025
View reviewed changes
package.json
@@ -6,7 +6,7 @@
"repository": "https://github.com/coder/vscode-coder",
"version": "1.9.0",
"engines": {
"vscode": "^1.73.0"
"vscode": "1.73.0"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if we should pin VS Code, as it is now on version 1.100. @code-asher can help us here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah if we do this our extension will only run on VS Code 1.73.0.

matifali
matifali reviewed May 19, 2025
View reviewed changes
.github/dependabot.yml
@@ -15,3 +15,6 @@ updates:
interval: "weekly"
ignore:
- dependency-name: "@types/vscode"
- dependency-name: "*"
update-types:
- version-update:semver-major
Copy link
Member

@matifali matifali May 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we should also allow minor updates and reduce the frequency to once a month.

@code-asher
Copy link
Member

code-asher commented May 19, 2025
edited
Loading

Why do we need to remove the ^ if we are also adding config to dependabot to ignore major versions?

Edit: to elaborate, we could similarly configure dependabot to ignore minor versions instead of changing the package.json.

Although, I am not sure most packages will backport security fixes and the like, so unsure if we should actually do this. Will dependabot do a minor/major update even if we tell it not to, if the update is for security reasons?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matifali matifali matifali left review comments

@code-asher code-asher code-asher left review comments

@jaaydenh jaaydenh Awaiting requested review from jaaydenh jaaydenh was automatically assigned from coder/ts

Assignees

@BrunoQuaresma BrunoQuaresma

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@BrunoQuaresma @code-asher @matifali