Configuring dependabot to ignore fine-tuning folder in gke/ai-ml/playground #460
Configuring dependabot to ignore fine-tuning folder in gke/ai-ml/playground #460karajendran wants to merge 3 commits into
Conversation
karajendran
requested review from
fernandorubbo,
ferrarimarco,
gushob21,
laurentgrangeau,
prev-dev and
syeda-anjum
karajendran
changed the title
ferrarimarco
left a comment
ferrarimarco
left a comment
There was a problem hiding this comment.
This is likely not the way we want to go.
Dependabot is not currently configured for regular dependency updates (IIRC, @prev-dev is working on that). The Dependabot PRs you see are all about updating dependencies with known vulnerabilities, not about general dependency updates.
We likely don't want to leave stuff around that installs known vulnerable dependencies.
My 2c: if something is deprecated, we should actually remove it from the repository. If anyone needs that, they have Git history to get it back.
Finally, this Dependabot configuration will not do what you likely intend it to do . The result of applying this configuration will be that Dependabot will start proposing ungrouped version updates for dependencies listed in /requirements.txt.
It will not stop proposing security updates for the paths you listed in exclude-paths.
Because:
/requirements.txtdoesn't include the dependencies you intend to ignore.- The
directory: "/"entry doesn't recurse to subdirectories. - You didn't specify an
applies-to. The default for applies to isversion-updates, notsecurity-updates.
2 participants
This PR configures Dependabot to ignore the following folders:
/use-cases/model-fine-tuning-pipeline/fine-tuning/
use-cases/model-fine-tuning-pipeline/data-preparation/
Since the fine-tuning use case has been migrated from gke/ai-ml/playground to gke/base/platform, we no longer need Dependabot tracking dependencies in thess playground paths.