Dependabot

Notes

• Updates for Node types (like this one) should correspond to node version configured in vercel. If vercel does not support the version, skip the upgrade.

Dependabot

To keep our packages updated, we use dependabot to send pull requests to our repo automatically everytime there is an update.

In the image below, there are 2 scenarios:

• Passing - This means that the update passes our deployment and test check so it has low risk of breaking our builds. After 2 approvals it can be merged
• Failing - This is a breaking update that causes either our tests or deployment to fail. To remedy this, you would have to pull the change into your development environment and make fixes, then send up a new pull request (and closing the dependabot pull request). Full steps

Fixing Breaking Builds

Make sure you look at the reason why the build is failing by clicking on the details first! Sometimes a failing build could be resolved by just updating the dependabot pull request to your latest codebase by commenting @dependabot rebase

If the above does not work, you would have to resolve the issues yourself by following the general steps below:

1. To help understand what may have caused the build, it helps to look at release notes.
2. Copy the dependabot branch name (screenshot above)
3. git fetch upstream dependabot-branch-name to download the dependabot branch
   • You may have to rename upstream and dependabot-branch-name to the remote variable you set for your main repo's upstream and the dependabot branch, respectively.
4. Now that you have the code locally, run the test and make the appropriate fixes
   • important! Make sure to run yarn install to download the updated library. Otherwise you would just be using the older library. Many of us have forgotten to run yarn install and wasted many hours scratching our heads for no reason.
5. Send up a pull request, ask in channel for a review
6. Once your pull request is merged in, close the failing dependabot pull request.

Engineer steps for merging dependbot PRs

1. Confirm the PR doesn't break anything by going through the release notes, changelog, and commits
2. Confirm it passes the CI/CD checks
3. Be careful if it's a bootstrap or next-auth update. We don't have enough tests to catch the breaking changes that these might introduce.
4. Let dependabot literally handle merging new changes to the PR. Manual merging might introduce conflicts, and it'll be hard to deal with.
5. If everything looks fine, comment @dependabot merge. It'll merge it once the CI/CD checks pass.