add bundler config to dependabot #1548
Conversation
|
In case there's no Gemfile.lock, the dependabot Bundler update, does that really do anything? |
|
@olleolleolle Great question. With a Gemfile.lock it would be much more active (since it would tend to notify any time any version changed), but I believe it will still monitor and mention the dependencies in the Gemfile and gemspec if they should change. Depending on how tight those are, it may not come up often, but would be likely for major version bumps. I believe it also would monitor the dependency graph in the Gemfile/gemspec for any security issues that might arise, which might be more frequent. I struggled to find clear documentation on this, but as an example if you look at the excon/excon (which also doesn't have a Gemfile.lock) dependency graph insights page it shows that it is monitoring the Gemfile (clicking the triple dots also shows that it is monitoring the gemspec): https://github.com/excon/excon/network/updates Does that help/clarify? |
|
It won't hurt, and it won't be many PRs anyway. Go ahead, please! |
|
And, if we don't enjoy it, we can disable it and put a documenting comment in the YAML file and go on. |
Description
I was working on config for faraday-excon and when updating it's dependabot stuff I saw you all didn't have bundler configured here either, so I thought I would offer the setup in case you want it.