Watching for new releases of dependencies when not repo owner

[M-Zuber]

As a co-maintainer of a project (but not the repo owner)
When a dependency is out of date
I would like to receive an alert

I feel like we discussed this already but I don't remember what you said

[andrew]

The main problem with that is that as a user without permission to manage web hooks on the repo we'll have to set something up to check for dependency changes manually on a daily basis rather than instantly updating the repositories dependencies as soon as code is committed and we get a web hook response.

That basically just means that there could be a window of up to ~23 hours where libraries doesn't know that you've added a dependency and so can't tell you about new versions.

One way to get around that for open source projects would be to get notifications of commits via the GitHub firehose and https://github.com/librariesio/github-dispatch

It's definitely do-able, mostly just need to make it clear that it might not be quite as instant as if you have permissions to manage web hooks.

[M-Zuber]

I'm not sure I follow.

I use/maintain a project - say someOtherUser/coolProject
coolProject has a dependency on thirdPerson/foo

When a new version of foo is released I want to get an alert to update/stop using coolProject until the maintainer updates.

EDIT:
I think I understand now. But I do think there is two parts.

1. Change of dependency entirely. (update, removal, add) for which I would be willing to wait a day to get notified.
2. A new release for a dependency - in other words when I click watch on a project it will be as if I went to every dependencies page and clicked watch for a new release

[andrew]

Yep you're right, only the change of a dependency (added or removed) will be delayed, everything else will work as expected.

[andrew]

Bumping for @M-Zuber 👊

[M-Zuber]

👋

[andrew]

Moving this to the Backlog as we'd still like to implement it but can't see that happening in the near future.