Page MenuHomePhabricator
Create Task
Maniphest T335654

SVG Translate github repo has paused Dependabot
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

Dependabot updates are paused
We noticed you haven't used Dependabot in a while, so we've paused automated Dependabot updates for this repository. To resume, simply interact with Dependabot.
For example, merge a Dependabot pull request or use @dependabot rebase. See open Dependabot pull requests or learn more about pausing of activity.

What happens?:

What should have happened instead?:
Pull should be accepted?

Software version (skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):

Related Objects

Event Timeline

Glrx created this task.May 1 2023, 12:07 AM
Restricted Application added a project: Community-Tech. · View Herald TranscriptMay 1 2023, 12:07 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Samwilson subscribed.May 1 2023, 5:16 AM

I'm not really sure about Dependabot: generally, we've been doing upgrades whenever working on SVG Translate, and there's not much point in upgrading between those times because we're unlikely to deploy anyway. So I just ignore the Dependabot PRs I'm afraid!

I've tried just now to upgrade all PHP dependencies (PR https://github.com/wikimedia/svgtranslate/pull/718 ) but am running into T335663: Unable to compile assets (digital envelope routines unsupported).

MusikAnimal moved this task from New & TBD Tickets to Needs Discussion on the Community-Tech board.Jul 19 2023, 2:18 PM
JWheeler-WMF subscribed.Mar 25 2024, 9:43 PM

@Samwilson do we still want/need to rely on Dependabot? Is this an engineering backlog decision, or product decision?

Samwilson closed this task as Resolved.Mar 26 2024, 7:09 AM
Samwilson claimed this task.

Most of our products have TranslateWiki contributions, so we should ideally be deploying regularly. If we're doing that, then we should also be updating critical dependencies sometimes (well, we should be doing that for all our projects, but we don't always do so).

Perhaps the best long-term fix here is to move everything to GitLab, where there can be some Wikimedia-wide system of dependency updates like there currently is for (some) repositories on Gerrit.

In the meantime I've been working on SVG Translate and so the Dependabot alerts will be solved for now. Oh, and Dependabot alerts are re-endabled now, so I think this task is all sorted (the alerts will be solved after T335663 is resolved).

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL