DEV Community

Cover image for Automate your dependency updates!
Karthi
Karthi

Posted on

Automate your dependency updates!

Don’t feel like upgrading, what if?

But what if the upgrades do the complete opposite? What if the new version introduces a new security issue?

For example, a new version of a dependency could be victim of a supply chain attack. If you never update your dependencies, you won’t get the infected version. Sounds fair, right?

It’s a valid argument, but your application doesn’t exist in a vacuum; many external factors could force you to upgrade at some point, and when it happens it’s usually at the wrong time.

XKCD comic 2347

XKCD comic 2347 is always relevant when talking about dependencies.

Renovate is a tool that automates dependency updates for software projects. It continuously scans the project's dependencies, checks for new releases, and creates pull requests (PRs) to update the dependencies to their latest versions. Renovate supports a wide range of dependency managers, including NPM, Yarn, Maven, NuGet, and many others.

Why use Renovate?

  • Get pull requests to update your dependencies and lock files
  • Reduce noise by scheduling when Renovate creates PRs
  • Renovate finds relevant package files automatically, including in monorepos
  • You can customize the bot's behavior with configuration files
  • Share your configuration with ESLint-like config presets
  • Get replacement PRs to migrate from a deprecated dependency to the community suggested replacement (npm packages only)
  • Open source

Running Renovate

As a Renovate end user, there are two main categories of use:

  1. self-host Renovate, e.g. (Checkout https://gitlab.com/renovate-bot/renovate-runner ) for gitlab.
  2. Someone else is hosting Renovate Now you need a global config and authentication, you are good to go.

Usually, Renovate raises pull requests and it waits for codeowners to review and approve. However, if you need ,
Automerging is a Renovate feature that you can use to automate upgrading dependencies. When enabled, Renovate tries to merge the proposed update once the tests pass.

Keep in mind that keeping your dependencies up-to-date is not just about the tooling, it’s also about having a process:

  • When will you merge this PR?
  • How will you handle the PR that doesn’t build?
  • The new major version of an external library that’s not yet compatible with the rest of your libraries?
  • When will you release this constant flow of library updates?
  • Do you want PRs during the day? During the night? Or on weekends only?

Reference : https://www.npmjs.com/package/renovate

Top comments (0)