Enable Dependabot on prometheus repos

[Ben Kochie]

I'd like to enable Dependabot on prometheus/prometheus, specifically to automatically handle the React UI version bumps. This will deal with the small version bumps for all the random security vulnerabilities that pop up.

The bot will create PRs like this one:

https://github.com/prometheus-community/monaco-promql/pull/12

[Julien Pivotto]

I +1 this

--
You received this message because you are subscribed to the Google Groups "Prometheus Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CABbyFmrdAwW8Qp0%2BemgwQQKWNpPVUA1RrRVuOXAndbM3VpPHLQ%40mail.gmail.com.

[Simon Pasquier]

+1 for the React codebase.
FWIW last time I looked at it, dependabot wasn't really ready for
managing Go dependencies.

> To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAFJ6V0rngch9PCYup_svH4nYSNyZ2VeMUnFbym%3DS4qOSsyvPVw%40mail.gmail.com.

[Sylvain Rabot]

It is as long as you don’t vendor deps.

> On 8 Jun 2020, at 14:10, Simon Pasquier <spas...@redhat.com> wrote:
>
> +1 for the React codebase.

> To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/CAM6RFu4zFvwzS1DB9O8eUEoHikukX5fape9p9s6%2BFi66ycSxkw%40mail.gmail.com.

[guggenm...@gmail.com]

With Go the dependabot experience indeed isn't that great yet, since vendoring and automatically running go mod clean after every update are not supported yet.