| ▲ | koolba 4 days ago | |
Another great example of why things like dependabot or renovate for automatically bumping dependencies to the latest versions is not a good idea. If it's not a critical update, better to let the world be your guinea pig and only update after there's been a while of real world usage and analysis. If it is a critical enough update that you have to update right away, then you take the time to manually research what's in the package, what changed, and why it is being updated. | ||
| ▲ | jakub_g 4 days ago | parent | next [-] | |
Dependabot now supports "cooldown" config for this case: https://github.blog/changelog/2025-07-01-dependabot-supports... | ||
| ▲ | chuckadams 4 days ago | parent | prev [-] | |
If the update isn't from a security alert, I let most dependabot PRs marinate for about a week precisely for this reason. Not the most scientific approach, but less stressful for sure. | ||