[Baseline practices] Keeping dependencies and node up to date #280
Comments
|
Something like the steps involved in setting up renovate bot on github for a repo and what are views are on the sort of schedule for updates? |
|
Yes, although I think we should cover more than just renovate. There's also options for automerging, lock file maintenance, etc. One thing I'd also be interested to see is keeping multiple release lines updated, esp. If we're going to make LTS for packages happen. |
|
FWIW @bevry accomplishes the goal of this automatically for all of its packages, through the following pieces
|
|
Adding to the meeting agenda: I think we need an official repo (i.e. under What I'd like to see is an include file with min version and the support policy - we can discuss details in the meeting/new issue (in the new repo?) |
dominykas
added
the
package-maintenance-agenda
|
I have https://github.com/ljharb/travis-ci which I’m using in hundreds of repos; there’s parts of it that remain mildly opinionated about package.json scripts structure, is all. That said, it’s already possible to rely on just the version matrix from it. |
|
Is the reason this is travis specific because that is still the most popular? I personally am switching everything to GH actions, and we discussed on Express doing the same. It seems like having one project with shared configurations just for the node versions part for all popular CI services would be the right course no? EDIT:
I see you agree that it should include other CI services, my bad. With that as the goal I agree! |
|
I don’t think there can be a single universal source based on what’s supported right now; i think each service needs it’s own distinct solution (even if that’s all maintained by us). |
TBH, I haven't followed the latest developments, but I was hoping that it can all be done natively by GH... If that's not available - sure, absolutely, we should provide an official recommendation in the nodejs org. I think a repo-per-service is probably better? Ideas for a naming convention? |
|
I recently setup dependabot on a few repos to see how it works. My first take is "WOW it is so chatty". We had disabled it on Express for this reason, and I thought maybe there were just some settings to make it better. I could not find those settings. Here are the questions I have:
They have a feedback repo, so maybe I will reach out to them there. |
|
I definitely disable dependabot on every repo for these reasons and others; i prefer greenkeeper. |
|
Chiming in here since I actually wrote about this thing recently with regards to Snyk which recently rolled out support for dep upgrades. One of the key points I was making is the ability to configure the type of upgrades you want to receive, ignore some packages if you want, and most importantly the default setup limits the PRs being opened to 5 exactly due to the problem of increased noise and overhead in managing a repo for devs:
|
I know for sure that renovate can do all of these things. |
dominykas
removed
the
package-maintenance-agenda
Greenkeeper is being sunset on 3rd June 2020: https://greenkeeper.io/ |
|
… and replaced with a Snyk service. |
|
For those looking to replace Greenkeeper, this Renovate config comes pretty close: {
"extends": ["config:base"],
"labels": ["greenkeeper"], // ;)
"suppressNotifications": ["prIgnoreNotification"],
"rangeStrategy": "replace"
} |
We should have a doc, which describes the whys and the hows of staying up to date.
The text was updated successfully, but these errors were encountered: