Updating dependencies automatically
Automatically Update your dependencies on cloud or self-hosted git installation
When you don’t have an automated way to update your dependencies, they tend to get old really fast and nobody pays attention to it, because the software just works, and you end up having a huge pile of outdate dependencies like this:
Frequent dependency updates are also good to avoid security vulnerabilities, better maintainability and keep track of unnecessary packages. In my opinion is better do it regularly than discovery that you are behind two years and suffer to update tons of major versions.
Your process for dependency updates is “whenever someone on the team has some extra time”. — depfu
How to do it?
You can do it manually using (everyday 😛):
yarn upgrade-interactive --latest
But come on the post title says automatically, right?
Well, so to do it we will need something that checks our dependencies and ideally opens a Pull Requests for us 🤔.
Here is a list of some softwares we can use:
- Dependabot (acquired by GitHub)
- Greenkeeper
- David
- Depfu
- Renovate
Renovate
After some consideration, I have chosen Renovate because it works either with self-hosted and cloud-based installations (GitHub for example)
if you use GitHub cloud-based version, the process is a piece of cake, you just need to install it in GitHub marketplace
On-boarding
Renovate will first send a on-boarding pull request:
It will list all package files that you have in your repo.
Some supported files are:
- package.json (npm/yarn)
- Dockerfile/docker-compose.yml (Docker)
- requirements.txt (Python/PIP)
- pom.xml (java)
Accepting the PR a file called renovate.json will be added repository
it also gives you how many pull request will be created subsequently, 12 in my example.
Pin dependencies
I am using a Javascript project as an example, so it will pin all the dependencies in my second pull request.
If you don't know what is Dependency Pinning or not sure if you should do that, please read the explanation in the renovate website:
After that it is just a matter wait for the pull requests.
Self-hosted gitlab
There are 2 options
- Renovate CLI (npm install -g renovate)
- Renovate Docker
No matter which version you choose a config.js will be needed
You also need to generate a token in GitLab (or GitHub)
I am running renovate in my server, so I just exported GITLAB_TOKEN (GITHUB_TOKEN for GitHub installations)
export GITLAB_TOKEN='secretToken'
if you are using docker you can also do
docker run -e GITLAB_TOKEN="Token" …
after that you can just run (same folder that you have config.js)
renovate
or (in case you prefer docker)
docker run -e GITLAB_TOKEN="Token" -v /developer/hjemmel/renovate/config.js:/usr/src/app/config.js --rm renovate/renovate
After running it the process is the same: on-boarding, pin dependency and subsequent pull requests.
How to run it periodically?
I choose schedule a job in cron, so in /etc/cron.daily I added a script:
You can also use GitLab CI (maybe GitHub Actions) to run it periodically, see some links for more information: