Let’s kick off the new year with something exciting! I just created a Pull Request to dependabot-core that adds support for Opam in OCaml. This could be super useful for all of us using this ecosystem in our projects!
But the Dependabot maintainers emphasized that maintaining new ecosystems requires community support (check their comment here: https://github.com/dependabot/dependabot-core/pull/13711#issuecomment-3659899321). They already have 3 community-maintained ecosystems and want more, but only if the community helps with long-term updater support.
They will be looking for volunteers to help maintain this – in testing, fixes, or ongoing maintenance. We can push this together if you really want it.
I don’t see any value in automatically bumping lower bounds of my packages to be as high as possible: if the package still works with the older dependency, then there’s no reason whatsoever to restrict anyone from doing so. And if it doesn’t work, it requires more changes anyway, along with a manual version bump.
Rather, I would find it very useful to have dependabot suggest newly released OCaml compiler versions to be added to the CI, e.g. changes like this Add OCaml 5.2 and 5.3 to CI · sim642/odep@f29709a · GitHub. Maintaining numerous opam packages, it’s the kind of tedious change that I should do on every compiler release, but it’s easy to forget (clearly, because I haven’t added 5.4 to odep’s CI) and often I miss some package I maintain when doing so.
I’m not sure if dependabot is supposed to do such changes though: it’s not directly a bump of some metadata on the setup-ocaml action, but part of some CI matrix.
Thanks for this initiative! I am responding with my Security Team hat. Integrating Dependabot with OPAM is definitely something that we would like to support.
However, we need to understand the scope and the details of your proposal, as well as to share our own perspective on this project, before we can take any decisions. Could you please reach out to me via PM and we can arrange a chat to talk about this?
