Since launching Dependabot for Ruby six months ago, we've had a guilty secret: Dependabot couldn't handle the most difficult updates. Specifically, it couldn't hack updates where multiple dependencies needed to be updated at the same time.
Now it can.
Want an example? Check out this pull request. Here, the
Gemfile specified both
bootstrap also relied
popper_js as a sub-dependency. All the specifications had tight version
requirements, so the only way to update was to bump both gems at the same time.
Don't think it's that common? Well, we see lots of Gemfiles specifying both
rspec-rails, for example.
There used to be a name for difficult updates like these - it was "dependency hell". With it's new multi-dependency updating powers, Dependabot should be able to make that a thing of the past.