Hi Sebb, On 3.11.2025 18:38, sebb wrote: > On Mon, 3 Nov 2025 at 17:26, Piotr P. Karwasz <[email protected]> > wrote: >> Dependabot actually pauses automatically after about 90 days of >> inactivity (see this blog post [1]). However, this relies on some >> collective discipline: we should avoid interacting with Dependabot >> unless the repository itself shows recent, non-trivial activity. >> >> I’d like to suggest the following approach: let’s ignore Dependabot PRs >> until one of the following happens: >> >> - A new non-Dependabot PR is opened in the repository, or >> - We commit other changes to the repository. >> >> At that point, we can review and merge the pending Dependabot updates as >> part of the regular maintenance. > > That would reduce some of the noise, but not all of it. > And as soon as a commit is made, there will be another 90 days before > dependabot stops making noises. > > I still think quarterly reports are worth trying.
Sure we should apply both: - Configure Dependabot to check for updates quarterly, - Consider the consequences before interacting with Dependabot in a barely active repo. We don't need to upgrade every repo to every version of `commons-parent`. Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
