Maintenance: fine tune Dependabot configuration

[am29d]

Summary

We have added Dependabot recently with a broad configuration. We now need to fine tune the dependencies that require an exception or have a specific case, i.e. no upgrade, only major/minor versions. The knowledge about this dependencies was not documented previously.

Why is this needed?

This is needed to document dependency management exceptions, what is pinned what can be upgraded. This will also scope down dependabot for the project specific updates and upgrades.

Which area does this relate to?

No response

Solution

No response

Acknowledgment

• This request meets Powertools for AWS Lambda (TypeScript) Tenets
• Should this be considered in other Powertools for AWS Lambda languages? i.e. Python, Java, and .NET

Future readers

Please react with 👍 and your use case to help us understand customer demand.

[heitorlessa]

Quick example for groups to fine tune dependencies you don't want major versions, or want to explicitly ignore like middy.

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#specifying-dependencies-and-versions-to-ignore

[dreamorosi]

On the top of my head, I think:

• middy should be locked to minor version in the current major only
• all AWS CDK related dependencies (including alpha packages and CLI) in testing, layers, examples/cdk, etc. should be grouped
• all AWS SDK related dependencies, together with the AWS SDK mock ones (in idempotency and parameters) should be grouped together

For all other dev dependencies, and specifically the ones in the main package.json file, we'll have to be careful especially in those cases where major versions have dropped support for Node.js versions that we still must support (Node.js 16 mainly).

Overall however, except for the CDK related ones, most issues version issues should be caught in the PR CI, so this is a good change.

[heitorlessa]

enjoy PTO Andrea!!

…

On Tue, 9 Jan 2024 at 14:38, Andrea Amorosi ***@***.***> wrote: On the top of my head, I think: - middy should be locked to minor version in the current major only - all AWS CDK related dependencies (including alpha packages and CLI) in testing, layers, examples/cdk, etc. should be grouped - all AWS SDK related dependencies, together with the AWS SDK mock ones (in idempotency and parameters) should be grouped together For all other dev dependencies, and specifically the ones in the main package.json file, we'll have to be careful especially in those cases where major versions have dropped support for Node.js versions that we still must support (Node.js 16 mainly). Overall however, except for the CDK related ones, most issues version issues should be caught in the PR CI, so this is a good change. — Reply to this email directly, view it on GitHub <#1858 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAZPQBHBFHPY37MDY6XBG7TYNVB4FAVCNFSM6AAAAABBSX5IFOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBTGA3DMMJUGU> . You are receiving this because you commented.Message ID: ***@***.*** .com>

[github-actions]

⚠️ COMMENT VISIBILITY WARNING ⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.