The plugin site currently uses gatsby which due to the huge number of people working on it, gets lots of bug fixes and lots of releases. This means with dependabot we get like 30+ PRs a week.
I know i’ve started to ignore them unless its a major security fix or I’m waiting for a feature to be release. @zbynek and to a lesser degree @timja still merge them, but its slowing down on their parts.
- Disable dependabot and just upgrade sometimes
- harder and scarier to upgrade when need arrises
- Automate it
- Continue as is.
For #2, which is my preferred solution, i saw @jglick mention kodiak on a jira ticket a while ago and have been meaning to try it. Last night I set it up on a personal project and found it super easy to configure to only auto merge dependabot minor PRs as long as it passes CI.
I know there’s some security concerns about auto merging but honestly I don’t think people currently review the upstream patches anyways.