GitHub dependabot vs rnx-kit

[benomatis]

I might not have understood everything correctly, but I recently activated dependabot on my github project, and I have had some of my packages update, only to then see align-deps wanting to downgrade them again. Is this normal? I'm assuming I'd have to "believe" align-deps over dependabot, as the latter one merely reports when an update is available, while align-deps would cross-check dependencies across my existing packages, correct? So how do I manage this? How can I make sure that align-deps checks whatever dependabot reports without having to first merge it, pull it, run align-deps, commit it back and push - a bit of a convoluted way of doing this.

[tido64]

Hi @benomatis, the version numbers we have in align-deps are based on what we use internally, that we know works in combination, and also based on what library maintainers declare supported for. It's a best effort practice, but we're fairly confident in our profiles.

Save for react, the version numbers are declared using caret (^) and should allow Dependabot some room to upgrade without affecting your package.json. If it's making changes to your package.json, you might want to consider adding versioning-strategy: "lockfile-only" in your dependabot.yml.

If you find that you want a newer version of a package anyway, you can also consider overriding our recommendations (or write your own preset). You can find more details on how to do that here: https://microsoft.github.io/rnx-kit/docs/guides/dependency-management#customization

[benomatis]

I'm happy for packages to be updated, as I'd like to keep them fresh for the case I need to do any modification to my app that requires a recent package, as I don't want to then suddenly have to deal with huge jumps in versions and the overhead caused by issues that may come out of that. Instead, I was thinking I could run align-deps as soon as dependabot opens a PR, and either somehow close the PR if it's not recommended to update, or at least add an update to the PR in the form of a note providing the output of align-deps. Are there any such preset jobs for GitHub actions that achieve this or would I need to build it from scratch?

[benomatis]

...the other question I have: if I rely on align-deps, will it mean that, for example, to update RN to a greater version, I'd have to wait for all related packages I have to be supported, so potentially never, if I have badly maintained packages as well?

[tido64]

Are there any such preset jobs for GitHub actions that achieve this or would I need to build it from scratch?

We don't have such an action. You would have to build it from scratch.

if I rely on align-deps, will it mean that, for example, to update RN to a greater version, I'd have to wait for all related packages I have to be supported, so potentially never, if I have badly maintained packages as well?

We try to have a new profile out as soon as a new version of React Native drops. For example, we already have a draft for 0.71 here: https://github.com/microsoft/rnx-kit/pull/2032/files. You should be able to upgrade as soon as it gets merged. The big libraries should be updated by then, and we try to keep it up to date over time. We also maintain a list of known "bad" dependencies. If you find breakages, we would appreciate it if you filed issues.

[benomatis]

ok, thank you.