We use Python/Node/Browser images in a lot of our tests. We want to be on the latest patch mainly so we get up-to-date browsers, so mostly we omit the patch level from the image name, eg:
- image: circleci/python:3.7-stretch-node-browsers
But this makes it hard to figure out when a patch breaks our tests - which happens fairly frequently, sometimes due to browser changes that we care a lot about, sometimes due to changes in node or something that are more nuisances but do eventually need to be resolved. At that point we need to lock the patch level until we sort it out:
- image: circleci/python:3.7.6-stretch-node-browsers
Seems like this is exactly why bots like dependabot were created - anyone know if there’s a bot that would make a GitHub PR for us when there’s a new Docker image patch? If there were, then we could leave the patch level fully specified but we’d automatically know when there’s an update, and whether it’s safe to include or something needs updating.