I just got a dependabot saying:
Bump three from 0.120.1 to 0.125.0
But does it test that this will not break my repo?
It would have to run both "build" and "test" in my package.json. And actually run all my demos to test that they have no errors in Chrome Dev Tools.
How do I test dependabot before merging config mentions a config but it seem pretty basic and the dependabot docs are pretty noisy!
Dependabot has some concept of compatibility score to ensure your confidence with the version bumps. But for many of the dependency updates, they lack of compatibility score as well.
Also, dependabot PRs are like regular PRs, which means you should have PR builds to ensure the compatibility on your own.
At last, technically speaking, the library maintainers should follow semver, so you only have to check with major upgrade PRs.
Don't trust Dependabot compatibility score too much, especially if it's unknown.
As a precaution layer, you can setup up GitHub action workflow or GitLab CI/CD pipeline that can be triggered on pull_request that checks dependencies compatibility and runs the required tests.
