DEV Community: Fateh AK The latest articles on DEV Community by Fateh AK (@fatehak). https://dev.to/fatehak https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F176071%2F11d000c1-4210-42b2-8ef6-4c37324ef720.png DEV Community: Fateh AK https://dev.to/fatehak en Automate your dependency updates with Renovate Fateh AK Sun, 19 Feb 2023 07:46:15 +0000 https://dev.to/fatehak/automate-your-dependency-updates-with-renovate-kmc https://dev.to/fatehak/automate-your-dependency-updates-with-renovate-kmc <h2> On this page </h2> <ul> <li>Setup Renovate</li> <li>Schedules</li> <li>Grouping updates</li> <li>Automerge</li> <li>Dependency Dashboard</li> <li>My Configuration</li> <li>Wrapping up</li> </ul> <p>Every modern web project has a plethora of <strong>dependencies</strong> bundled together. It may not seem much initially, but managing dependencies becomes a project's greatest maintenance nightmare in the long run.</p> <p>The hard truth is dependencies go <strong>out-of-date</strong> rapidly, with patches and minor releases coming out every other week. It is important to keep them updated continuously rather than deferring this activity for later every time. The added advantage is that updates could bring potential bug fixes and patches for critical security vulnerabilities. (or introduce new ones as well, we'll see how we can tackle this later in the article)</p> <p>Developers <strong>dread</strong> getting assigned a dependency updation task especially when it's been ages since they've last done it.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffp550qi7ixevzombeqtp.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffp550qi7ixevzombeqtp.jpg" alt="Boromir is frustrated dealing with dependencies" width="500" height="403"></a></p> <p>Even Boromir is frustrated!</p> <p>We should leverage the tools available to solve such problems. <a href="https://www.mend.io/free-developer-tools/renovate/" rel="noopener noreferrer">Renovate</a> is one such tool that does the job swimmingly!</p> <h2> Setup Renovate <a></a> </h2> <p>Let's take a look at setting it up. There are three ways to set up Renovate:</p> <ul> <li>Self Hosting a docker image</li> <li>Using the built-in GitHub / GitLab app</li> <li>NPM package</li> </ul> <p>Usually, self-hosting is the better approach for private projects, but as my use case already revolved around projects hosted on GitHub, we'll take that route instead.</p> <p>You can add the <a href="https://github.com/marketplace/renovate" rel="noopener noreferrer">GitHub app</a> from the marketplace and give it access to your repository.</p> <p>Renovate will create an onboarding PR shortly to merge a <code>renovate.json</code> configuration file into your repository.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2xayszarkwcgb7m1v1wd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2xayszarkwcgb7m1v1wd.png" alt="Onboarding PR created by Renovate Bot" width="800" height="279"></a></p> <p>Onboarding PR created by Renovate Bot</p> <p>A basic configuration file is created at the repository <code>&lt;root&gt;</code> with the PR.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"$schema"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://docs.renovatebot.com/renovate-schema.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"extends"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"config:base"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Renovate will now scan your package.json file for dependencies. The default update style is via PRs which are raised for all <strong>dependencies</strong>, <strong>dev dependencies</strong>, and <strong>peer dependencies</strong>. (you can customize this)</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv4rhoyikfi6k73k0jxpk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv4rhoyikfi6k73k0jxpk.png" alt="Renovate raised a PR automatically to update eslint-plugin-import" width="800" height="455"></a></p> <p>Renovate raised a PR automatically to update eslint-plugin-import 🥳</p> <p>A PR is raised with details such as <strong>release notes</strong>, <strong>age</strong>, <strong>adoption rate</strong>, and more for every dependency. This helps us make an informed decision and ensures we stay in the loop in case there are any breaking changes or vulnerabilities.</p> <p>Supported package managers include <strong>npm</strong>, <strong>yarn</strong>, and <strong>pnpm</strong>, so your lock files will be kept in sync with the updates too.</p> <p>The <strong>customizability</strong> part is where it really shines. Let's check out some ways to make it even more seamless.</p> <h2> Schedules <a></a> </h2> <p>You can set <strong>schedules</strong> to tell Renovate when to run the updates.</p> <p>An example schedule looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"schedule"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"before 11am every saturday"</span><span class="p">]</span><span class="w"> </span></code></pre> </div> <p>The default timezone is UTC which you can override:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"timezone"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Asia/Kolkata"</span><span class="w"> </span></code></pre> </div> <p>You can also set it to <strong>rebase automatically</strong> whenever the PR is behind to avoid merge conflicts. It can come in handy when we are running it on a schedule.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="nl">"rebaseWhen"</span><span class="p">:</span><span class="w"> </span><span class="s2">"behind-base-branch"</span><span class="w"> </span></code></pre> </div> <p>With scheduling, I know precisely when the updates will be raised which makes me plan better for that day.</p> <p>Refer to the documentation on <a href="https://docs.renovatebot.com/key-concepts/scheduling/" rel="noopener noreferrer">schedules</a> to learn more about the syntax.</p> <h2> Grouping updates <a></a> </h2> <p>Let's consider we have <strong>10 dependencies</strong> in our repository that are out-of-date. Renovate will see this and raise <strong>10 PRs</strong> on your branch. A better approach is to group dependency updates that belong together.</p> <p>You can think of creating meaningful groups. For example, you can group all updates to <strong>eslint</strong> and its plugins in a single PR.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"packageRules"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"matchPackagePatterns"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"^eslint"</span><span class="p">],</span><span class="w"> </span><span class="nl">"groupName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eslint and its plugins"</span><span class="p">,</span><span class="w"> </span><span class="nl">"groupSlug"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eslint"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Or you could create a generic group of <code>minor</code> and <code>patch</code> releases for all dependencies. Now, all updates for the group happen in a single PR.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"patch"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"groupName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"non-major dependencies"</span><span class="p">,</span><span class="w"> </span><span class="nl">"groupSlug"</span><span class="p">:</span><span class="w"> </span><span class="s2">"minor-patch"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"minor"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"groupName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"non-major dependencies"</span><span class="p">,</span><span class="w"> </span><span class="nl">"groupSlug"</span><span class="p">:</span><span class="w"> </span><span class="s2">"minor-patch"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Think deeply as to which dependencies belong together. There could be some you know that are always used together, for example, build-time dependencies used for image compression.</p> <blockquote> <p><strong>Note</strong>: One caveat here is to be careful with the grouping strategy. If a dependency part of a larger group breaks, it may be a while before you figure it out.</p> </blockquote> <h2> Automerge <a></a> </h2> <p>By default, Renovate raises a PR that must be manually reviewed and merged. While this flow is ideal for any critical dependencies and updates to major versions but for dev dependencies or any trivial ones, this will slow you down.</p> <p>To configure Renovate to automerge the PRs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"packageRules"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"matchUpdateTypes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"minor"</span><span class="p">,</span><span class="w"> </span><span class="s2">"patch"</span><span class="p">],</span><span class="w"> </span><span class="nl">"matchPackageNames"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"rimraf"</span><span class="p">],</span><span class="w"> </span><span class="nl">"automerge"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This will automerge PRs for the <strong>rimraf</strong> package only for minor and patch releases, but for major releases, you must merge the PR manually.</p> <p>You can even tell Renovate to <strong>automerge a branch</strong> instead of a PR. Whenever a PR gets merged on GitHub, you get an email adding noise to your mailbox.</p> <p>To avoid it, we can tell Renovate to create a temporary branch instead and merge it automatically and silently in <em>ninja style!</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"automerge"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"automergeType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"branch"</span><span class="p">,</span><span class="w"> </span><span class="nl">"automergeStrategy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rebase"</span><span class="p">,</span><span class="w"> </span><span class="nl">"commitBodyTable"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>If you prefer to avoid merge commits, then set <code>rebase</code> as the automerge strategy.</p> <p>In the <code>branch</code> strategy, details such as release notes and adoption rates are absent as they are generated only for PRs. So, we can set the <code>commitBodyTable</code> flag to at least get the bare minimum details.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>datasource</th> <th>package</th> <th>from</th> <th>to</th> </tr> </thead> <tbody> <tr> <td>npm</td> <td>lint-staged</td> <td>13.1.0</td> <td>13.1.1</td> </tr> <tr> <td>npm</td> <td>rimraf</td> <td>3.1.0</td> <td>3.1.1</td> </tr> </tbody> </table></div> <p>Renovate creates branches with the prefix <code>renovate/</code>, so you can configure your CI to run relevant tests and build jobs on it before it gets merged.</p> <p>On a GitHub repository, Renovate requires <strong>passing status checks</strong> before merging, if you don't have any workflows configured you can bypass this temporarily:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"ignoreTests"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <blockquote> <p><strong>Caution</strong>: Use the automerge feature only when you are <strong>confident</strong> of your CI pipeline and set it up to avoid critical dependencies and <code>major</code> releases.</p> </blockquote> <p>Learn more about <a href="https://docs.renovatebot.com/key-concepts/automerge/" rel="noopener noreferrer">automerge</a> on Renovate's official docs.</p> <h2> Dependency Dashboard <a></a> </h2> <p>The Dependency Dashboard is one of the coolest features of Renovate. If enabled, Renovate creates an <strong>issue</strong> in your repository containing the status of all your dependencies about to be merged, and this works nicely when automerge and scheduling are enabled.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftyj8sk45wmu5z8ssi1oj.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftyj8sk45wmu5z8ssi1oj.png" alt="Dependency Dashboard listing all pending updates" width="800" height="364"></a></p> <p>Dependency Dashboard listing all pending updates</p> <p>To enable it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"dependencyDashboard"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>An additional feature supported by the Dashboard is <strong>package approval</strong>. For example, if you have automerge enabled, you can tell Renovate that all major dependencies need to be approved first before are automerged.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flnivtrtcqt19f62rtlvg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flnivtrtcqt19f62rtlvg.png" alt="All major dependencies require approval" width="674" height="167"></a></p> <p>All major dependencies require approval</p> <p>You can configure it like so:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"major"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dependencyDashboardApproval"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Or you can even tell it require approval only for certain packages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"packageRules"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"matchPackagePatterns"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"^my-package"</span><span class="p">],</span><span class="w"> </span><span class="nl">"dependencyDashboardApproval"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Not all platforms support this feature. Here is an excerpt from the Renovate docs:</p> <blockquote> <p>The Dependency Dashboard requires that the host platforms supports the concept of issues with dynamic Markdown checkboxes.</p> </blockquote> <p>Learn more about the <a href="https://docs.renovatebot.com/key-concepts/dashboard/" rel="noopener noreferrer">dashboard</a> in the docs.</p> <h2> My Configuration <a></a> </h2> <p>I've set up Renovate for some of my projects and NPM packages. My main focus was on reducing PR noise and simplicity.</p> <p>Scheduling is set for <strong>before 11am every saturday</strong> with <strong>branch</strong> automerge and package groups set up for <strong>minor + patch</strong> and <strong>major</strong> versions. The dashboard approval flow is set for all major versions.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"$schema"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://docs.renovatebot.com/renovate-schema.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"extends"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"config:base"</span><span class="p">],</span><span class="w"> </span><span class="nl">"labels"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"dependencies"</span><span class="p">],</span><span class="w"> </span><span class="nl">"schedule"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"before 11am every saturday"</span><span class="p">],</span><span class="w"> </span><span class="nl">"timezone"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Asia/Kolkata"</span><span class="p">,</span><span class="w"> </span><span class="nl">"enabledManagers"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"npm"</span><span class="p">],</span><span class="w"> </span><span class="nl">"rangeStrategy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"bump"</span><span class="p">,</span><span class="w"> </span><span class="nl">"automerge"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"automergeType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"branch"</span><span class="p">,</span><span class="w"> </span><span class="nl">"automergeStrategy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rebase"</span><span class="p">,</span><span class="w"> </span><span class="nl">"commitMessagePrefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"chore(deps): "</span><span class="p">,</span><span class="w"> </span><span class="nl">"commitBodyTable"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"dependencyDashboard"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"dependencyDashboardAutoclose"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"configMigration"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"platformCommit"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"lockFileMaintenance"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"rebaseWhen"</span><span class="p">:</span><span class="w"> </span><span class="s2">"behind-base-branch"</span><span class="p">,</span><span class="w"> </span><span class="nl">"patch"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"groupName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"non-major dependencies"</span><span class="p">,</span><span class="w"> </span><span class="nl">"groupSlug"</span><span class="p">:</span><span class="w"> </span><span class="s2">"minor-patch"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"minor"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"groupName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"non-major dependencies"</span><span class="p">,</span><span class="w"> </span><span class="nl">"groupSlug"</span><span class="p">:</span><span class="w"> </span><span class="s2">"minor-patch"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"vulnerabilityAlerts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"labels"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"security"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"major"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"automerge"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="p">,</span><span class="w"> </span><span class="nl">"dependencyDashboardApproval"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"commitMessagePrefix"</span><span class="p">:</span><span class="w"> </span><span class="s2">"chore(deps-major): "</span><span class="p">,</span><span class="w"> </span><span class="nl">"labels"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"dependencies"</span><span class="p">,</span><span class="w"> </span><span class="s2">"breaking"</span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"packageRules"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"matchPackageNames"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"node"</span><span class="p">],</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"matchDepTypes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"peerDependencies"</span><span class="p">],</span><span class="w"> </span><span class="nl">"enabled"</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>I've also disabled the auto-updation of peer dependencies and the Node version since updating them can be problematic for other dependencies.</p> <blockquote> <p><strong>Renovate is not limited to Node alone!</strong> You can add support for additional managers like dockerfile, pip, gomod, etc through the <code>enabledManagers</code> property. Check out all <a href="https://docs.renovatebot.com/modules/manager/#supported-managers" rel="noopener noreferrer">supported managers</a> in the docs.</p> </blockquote> <p>With this configuration, I take one quick look at Renovate's dashboard early morning on Saturday while having my hot cup of coffee and approve requests seamlessly. And this is precisely the kind of automation I was looking for ✨</p> <h2> Wrapping up <a></a> </h2> <p>Renovate is free, feature-packed, has a regular maintenance schedule, and is used globally by several top-tier <a href="https://github.com/renovatebot/renovate#who-uses-renovate" rel="noopener noreferrer">companies</a>.</p> <p>I enjoy automating things like this. I used to constantly think about what would happen to my projects given the rapidly changing state of the Web. And this is what led me to Renovate. In a way, it has helped me stay on top of the latest advancements. I consider it a prerequisite now for setting up any new project.</p> <p>Take a look at its super detailed <a href="https://docs.renovatebot.com/" rel="noopener noreferrer">docs</a>. You can also check out my <a href="https://github.com/FatehAK/vite-plugin-image-optimizer" rel="noopener noreferrer">repository</a> as a reference.</p> <p>So, what are you waiting for? Time to get automatin! 🚀</p> npm webdev automation tooling Hassle-free NPM package publishing with release-it Fateh AK Sat, 18 Feb 2023 09:12:07 +0000 https://dev.to/fatehak/hassle-free-npm-package-publishing-with-release-it-g7b https://dev.to/fatehak/hassle-free-npm-package-publishing-with-release-it-g7b <p>I've just created my first NPM package and was searching the web for ways to automate the publishing step.</p> <p>I had the following requirements in mind:</p> <ul> <li>A single command from start to end.</li> <li>Every release should follow <a href="https://semver.org/" rel="noopener noreferrer">semver</a> with automatic creation of git tags.</li> <li>Simple way to choose the type of release. (major / minor / patch)</li> <li>Auto generation of release notes based on commit history.</li> <li>Possibility to draft a release on GitHub. (nice to have)</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbb8k2v9fqtuufh8ecl7e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbb8k2v9fqtuufh8ecl7e.png" alt="Semantic Versioning" width="800" height="279"></a></p> <p>A git tag with semver (credit: baeldung)</p> <p>As I was searching for tools to accomplish the above, I came across <a href="https://github.com/release-it/release-it" rel="noopener noreferrer">release-it</a>, which satisfied all of my requirements with the right amount of flexibility.</p> <h2> Demo </h2> <p>Here is a short demo of me publishing a package using release-it:</p> <p><iframe width="710" height="399" src="https://www.youtube.com/embed/uOMgPWdYqUQ"> </iframe> </p> <p>A GitHub release is created with the <code>draft</code> status containing a prefilled changelog and uploaded assets without any manual intervention.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh6c185lez00rpddhoqh0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fh6c185lez00rpddhoqh0.png" alt="GitHub draft release" width="800" height="308"></a></p> <p>A GitHub draft release with the changelog prefilled</p> <p>The whole process only took <strong>under a minute</strong> with release-it. Usually, we have to type in various commands in sequence for bumping the version, generating a git tag, creating a tarball, writing a changelog, and finally publishing the package to NPM.</p> <p>All of these steps are automated by release-it, and every aspect of it is customizable with a configuration file.</p> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-D</span> release-it </code></pre> </div> <p>After installation, add release-it to the <code>scripts</code> section in your package.json file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"my-package"</span><span class="p">,</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"0.0.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"release"</span><span class="p">:</span><span class="w"> </span><span class="s2">"release-it"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now create a <code>.release-it.js</code> file in your project's <code>root</code> directory. We will use this to configure it.</p> <h2> Usage </h2> <p>Once your package is ready to be published, run the following command in the terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm run release </code></pre> </div> <p>You will be shown the changelog first and then followed by a series of prompts with the option to choose the type of release (major / minor / patch).</p> <blockquote> <p><strong>Note</strong>: By default release-it will bump the <code>version</code> key in package.json. So, if the package is being published for the first time make sure its initially set to <code>0.0.0</code>.</p> </blockquote> <p>Here is the configuration I used to publish the package as shown in the demo:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">git</span><span class="p">:</span> <span class="p">{</span> <span class="na">commitMessage</span><span class="p">:</span> <span class="dl">'</span><span class="s1">chore: Release v${version}</span><span class="dl">'</span><span class="p">,</span> <span class="na">tagName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">v${version}</span><span class="dl">'</span><span class="p">,</span> <span class="na">requireCommits</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// require commits since last tag</span> <span class="na">requireCleanWorkingDir</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// exits if local not upto date with remote or if workdir is unclean</span> <span class="p">},</span> <span class="na">github</span><span class="p">:</span> <span class="p">{</span> <span class="na">release</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// creates a github release</span> <span class="na">draft</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="c1">// github releases are only drafted, confirm the draft in github releases page to publish it</span> <span class="na">releaseName</span><span class="p">:</span> <span class="dl">'</span><span class="s1">✨ v${version}</span><span class="dl">'</span><span class="p">,</span> <span class="na">commitArgs</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">-S</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// creates gpg signed commits</span> <span class="na">tagArgs</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">-s</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// creates gpg signed tags</span> <span class="na">assets</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">tar/*.tgz</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// assets to be included in the GitHub releases page</span> <span class="p">},</span> <span class="na">npm</span><span class="p">:</span> <span class="p">{</span> <span class="na">publish</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="na">hooks</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// runs lint before publishing</span> <span class="dl">'</span><span class="s1">before:init</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">pnpm lint</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// build the package to publish and the generate a tarball for use in github releases</span> <span class="dl">'</span><span class="s1">after:bump</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">pnpm build &amp;&amp; pnpm tarball</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">after:release</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">echo Successfully created a release v${version} for ${repo.repository}.</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <p>The added support for <strong>lifecycle hooks</strong> is my favourite feature since it allows us to run tasks at various stages of publishing. Using these hooks, we could run our lint and test jobs before we begin the release process saving us time if they were to fail later.</p> <p>Refer to its <a href="https://github.com/release-it/release-it#release-it-" rel="noopener noreferrer">documentation</a> to learn more about the configuration.</p> <p>I loved the intuitive prompt-based approach offered by <a href="https://github.com/release-it/release-it" rel="noopener noreferrer">release-it</a> as it helps reduce the friction involved in package publishing.</p> <p>You can also check out my <a href="https://github.com/FatehAK/genzo-cli" rel="noopener noreferrer">package</a> as a reference in setting it up.</p> <p>I hope this post motivated you to streamline your package release process!</p> npm webdev automation tooling