Updating dependencies automatically

Automatically Update your dependencies on cloud or self-hosted git installation

I see dependencies EVERYWHERE

When you don’t have an automated way to update your dependencies, they tend to get old really fast and nobody pays attention to it, because the software just works, and you end up having a huge pile of outdate dependencies like this:

Crying in agony 😭

Frequent dependency updates are also good to avoid security vulnerabilities, better maintainability and keep track of unnecessary packages. In my opinion is better do it regularly than discovery that you are behind two years and suffer to update tons of major versions.

Your process for dependency updates is “whenever someone on the team has some extra time”. — depfu

How to do it?

You can do it manually using (everyday 😛):

yarn upgrade-interactive --latest

But come on the post title says automatically, right?

Well, so to do it we will need something that checks our dependencies and ideally opens a Pull Requests for us 🤔.

Here is a list of some softwares we can use:

• Dependabot (acquired by GitHub)
• Greenkeeper
• David
• Depfu
• Renovate

Renovate

Renovate for rescue

After some consideration, I have chosen Renovate because it works either with self-hosted and cloud-based installations (GitHub for example)

SHOW ME THE CODE

if you use GitHub cloud-based version, the process is a piece of cake, you just need to install it in GitHub marketplace

On-boarding

Renovate will first send a on-boarding pull request:

It will list all package files that you have in your repo.

Some supported files are:

• package.json (npm/yarn)
• Dockerfile/docker-compose.yml (Docker)
• requirements.txt (Python/PIP)
• pom.xml (java)

Accepting the PR a file called renovate.json will be added repository

it also gives you how many pull request will be created subsequently, 12 in my example.

Pin dependencies

I am using a Javascript project as an example, so it will pin all the dependencies in my second pull request.

If you don't know what is Dependency Pinning or not sure if you should do that, please read the explanation in the renovate website:

https://docs.renovatebot.com/dependency-pinning/

After that it is just a matter wait for the pull requests.

Self-hosted gitlab

There are 2 options

• Renovate CLI (npm install -g renovate)
• Renovate Docker

No matter which version you choose a config.js will be needed

Example of config.js

You also need to generate a token in GitLab (or GitHub)

I am running renovate in my server, so I just exported GITLAB_TOKEN (GITHUB_TOKEN for GitHub installations)

export GITLAB_TOKEN='secretToken'

if you are using docker you can also do

docker run -e GITLAB_TOKEN="Token" …

after that you can just run (same folder that you have config.js)

renovate

or (in case you prefer docker)

docker run -e GITLAB_TOKEN="Token" -v /developer/hjemmel/renovate/config.js:/usr/src/app/config.js --rm renovate/renovate

After running it the process is the same: on-boarding, pin dependency and subsequent pull requests.

How to run it periodically?

I choose schedule a job in cron, so in /etc/cron.daily I added a script:

You can also use GitLab CI (maybe GitHub Actions) to run it periodically, see some links for more information:

• https://medium.com/@mikebarkmin/renovate-your-gitlab-projects-automatically-bbba188669b5
• https://www.froehlichundfrei.de/blog/2018-03-13-howto-use-renovate-and-gitlab-ci-to-keep-your-javascript-dependencies-updated/

Reference:

• https://docs.renovatebot.com
• https://docs.renovatebot.com/semantic-commits/
• https://flaviocopes.com/update-npm-dependencies/
• https://medium.com/the-guild/how-should-you-pin-your-npm-dependencies-and-why-2b8d545c7312