Keeping Node Dependencies Up to Date, Automagically!

Eric Wooley — Tue, 10 Dec 2019 18:13:38 +0000

Obligatory intro paragraph

Maintaining projects is hard. There is a ton to do, and often upgrading dependencies is neglected, or put on the back burner. It's hard to justify spending a few hours upgrading a bunch of libraries that already work. If you have ever had to go back and upgrade a few dozen (hundred??) dependencies that have been neglected for a few year(s), you know how much easier to keep up to date consistently.

A giant dependency upgrade is hard, a sure fire way to ship some bugs, and, in the meantime, you will probably be insecure. There are a lot of reasons to upgrade.

Forever ago, I discovered greenkeeper.io, which automatically creates pull requests for dependencies which when they get out of date. Unfortunately, it doesn't seem to play nice with Github actions. Maybe it does, IDK, I gave up on it. It occured to me, that this could be a simple github action... Does a premade one already exist? Yep... BRILLIANT.

Anytime you run this github action, a pull request is made to upgrade dependencies in your package.json files.

Get to the action!

...sorry, sometimes puns must be made

Lets install our github action:

Create a personal access token, with repository access, and add it to your secrets in the settings section of your github repository.
- DO NOT LOSE THIS OR LET ANYONE SEE IT. Your access token is a second github password to your account.
- The example recommends naming your secret GITHUB_TOKEN. I named mine githubAccessToken, since the recommended name does not seem to be valid.
Create a file in your repo, .github/workflows/update_node_deps.yml.

Configuring your setup.

I used the yarn version, because I use yarn workspaces, and yarn upgrade will update all the packages as well.

- name: package-update
  uses: taichi/actions-package-update@master
  env:
    AUTHOR_EMAIL: john@example.com
    AUTHOR_NAME: John
    EXECUTE: "true"
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    UPDATE_COMMAND: yarn
  with:
    args: upgrade --latest

Configuration for Action Packed React:

on:
  schedule:
  - cron: '0 9 * * *' # https://jasonet.co/posts/scheduled-actions/
name: Update
jobs:
  package-update:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - name: set remote url
      run: git remote set-url --push origin https://$GITHUB_ACTOR:${{ secrets.githubAccessToken }}@github.com/$GITHUB_REPOSITORY
    - name: package-update
      uses: taichi/actions-package-update@master
      env:
        AUTHOR_EMAIL: ericwooley@gmail.com
        AUTHOR_NAME: Eric Wooley
        EXECUTE: "true"
        GITHUB_TOKEN: ${{ secrets.githubAccessToken }}
        LOG_LEVEL: debug
        UPDATE_COMMAND: yarn
      with:
        args: upgrade --latest --ignore-engines

It's mostly stolen from the readme, but it's mine, and I love it. Here is what I changed and why.

Change secrets.GITHUB_TOKEN -> secrets.githubAccessToken
It's set to run on a schedule, of every morning at 9am. See this guide to cron with github

on:
  schedule:
  - cron: '0 9 * * *' # https://jasonet.co/posts/scheduled-actions/

(optional) Use yarn upgrade instead of ncu, so that workspaces will be updated as well.

        # ...
        UPDATE_COMMAND: yarn # This says to use yarn as your upgrade tool.
      with:
        args: upgrade --latest --ignore-engines # extra args for yarn
              # --latest means use the latest versions of the pages.
              # ignore engines, means ignore which version of yarn is performing this upgrade.

That's it! Every day at 9:00am, you should get a pull request, which updates all your node dependencies. Make sure your running CI!

DEV Community: Eric Wooley

Keeping Node Dependencies Up to Date, Automagically!

Obligatory intro paragraph

Get to the action!

Configuring your setup.