Open
Description
Is there an existing issue for this?
- I have searched the existing issues
Code improvement description
❓ We get regular 
bumps of the linters/static code analyzers used in native helpers like eslint, phpstan, etc, and even though it's relatively trivial to bump them, it doesn't add much value to do that week after week. A few options I see:
- keep doing it and eat the cost.... it's not much focused time, the more annoying part is the distraction of having to remember to
@dependabot rebasethe next one since we aren't as aggressive about rebasing anymore - add merge-queue on
dependabot-core... it's been helpful for this use case in an internal repo, for safety I only queue up one per ecosystem to avoid stepping on each other, but this would let us merge one-linter-per-ecosystem concurrently across multiple ecosystems - wait for grouped-updates to land... this only solves a small part of this particular problem though
- migrate them one-by-one to using a GitHub action to handle linting... we actually used to do this (GitHub Action: Add Python flake8 linting #2892), and then switched to embedding (breadcrumbs in CI: Simplify workflow by moving suite specific tests into test script #3430)... but embedding isn't necessarily needed now that many editors such as VS Code and others allow quickly installing language-specific plugins like linters...
- migrate them en-masse to using https://github.com/oxsecurity/megalinter... again a CI thing, but keeps some complexity down because it "Just works" on all the native helpers, w/o us having to configure them... eg, we need to add
yamllint(Runyamllinton PR's #5572) and haven't gotten to it, this would let us pick that up for free
One tricky bit is illustrated by #6830. Some linters will need to be run against a matrix of runtime versions.
Thoughts?