Should we keep the github dependabot?

[lholmquist]

Githubs dependency bot has been sending PR's, that i believe we have merged in the past. There is one open one right now, #254

But i was thinking, do we really need this since these updates have only been to the package-lock.json and since this is a module, that file never gets published, so the end user will never get any benefit it might have.

We are already using snyk to update the "main" dependencies. So does it make sense to keep this bot and have all these little micro-updates that won't ever really make it to a published version?

[lance]

I think it's OK to keep, tbh. The reason it's only updating package-lock.json is because the dependency it's updating (e.g. lodash in the most recent PR) is a nested dependency that is not in package.json. End users see this benefit because this guarantees that when we push the next release, whoever builds it locally is building with the updated dependency. For example, if I have already installed all of my dependencies - you know weeks ago during dev - and package-lock.json has not been updated, I believe npm will be fine with lodash 4.17.15 and not bother pulling 4.17.19. Need to double check this, but I think that's the behavior.

[lholmquist]

yea, i get why it's only updating package-lock.json, but that file doesn't get published, so when the user does an npm install, they are still only getting what is specified in the package.json.

It's not really a big deal if we keep it. it's really only a couple clicks every so often.

[lholmquist]

closing for now