In our projects 80% of renovate updates are broken PR-s. In theory it should sav...

nonethewiser · 2024-04-12T16:15:40.000000Z

But are they broken because of renovate? Or just the underlying dependency updates?

tiborsaas · 2024-04-12T16:37:55.000000Z

It's the dependency updates. It doesn't consider if the update makes sense or not. If it fixes vulnerabilities it must be updated, but just for the sake of updating, I don't see the point.

noahtallen · 2024-04-12T20:44:00.000000Z

If you don’t want to update dependencies frequently, then you should probably stop using (or reconfigure) the tool whose primary purpose is to help you update dependencies more frequently ;)

tiborsaas · 2024-04-15T10:02:51.000000Z

Well, I can't not use it since it's a company wide policy, but I agree with you.

sunshowers · 2024-04-13T00:34:48.000000Z

The main reason to update dependencies is that when emergencies do arise, you don't want to be in the situation where your only options are:

1. take on the additional risk of months or years of changes in between

2. beg or plead with (or throw money at) upstream to patch your old version

3. attempt to patch it yourself, potentially introducing new issues because you're not the domain expert