Dependency management scripts

[legrego]

We should aim to create tooling to facilitate the management of our third-party dependencies. As a starting point, I recommend we create a set of scripts to allow for ad-hoc exploration, which could then be tied into larger automation flows.

Note

Script names, flags, options, and syntaxes below are for illustrative purposes only. You are free to develop these as you see fit.

Important

All scripts should ignore "package imports" (e.g. importing something from @kbn/core). We are only concerned about the use of third-party dependencies which are sourced from a package registry (npm/yarn/etc).

I have a set of scripts that we can leverage as a starting point for parsing renovate.json. It is incomplete and likely has bugs, but it may be useful: https://github.com/elastic/kibana/compare/main...legrego:kibana:dep-ownership-temp?expand=1

Script to identify dependency usage

A script should exist which generates a list of packages & plugins that use a specific dependency. We should be able to answer the following questions:
1/ Show all packages/plugins that use react-dom
2/ Show all packages/plugins within /some/directory/* that use lodash.

./scripts/identify-dependency-usage <dependency-name> [<path1> .. <pathN>]

The script should optionally allow the output to be grouped by owner, as defined in CODEOWNERS:

./scripts/identify-dependency-usage [--groupBy=owner|package] <dependency-name> [<path1> .. <pathN>]

The script should output its result in JSON format.

Script to identify all dependencies for a given package/plugin

A script should exist which generates a list of dependencies used by a package/plugin. We should be able to answer the following questions:
1/ What dependencies are used by the x-pack/security plugin?
2/ Which react-* dependencies are used by the @kbn/something package? .

./scripts/identify-dependency-usage <path> [<dependency-filter>]

The script should output its result in JSON format.

Script to identify dependency ownership

A script should exist which determines dependency ownership.
A dependency is Owned by a team if a corresponding entry exists in renovate.json with a reviewers property assigned to a team:* value.
In this example, the @elastic/charts dependency is owned by the @elastic/visualizations team.

{
	"groupName": "@elastic/charts",
	"matchDepNames": ["@elastic/charts"],
	"reviewers": ["team:visualizations", "markov00", "nickofthyme"],
	"matchBaseBranches": ["main"],
	"labels": ["release_note:skip", "backport:skip", "Team:Visualizations"],
	"enabled": true
},

We should be able to answer the following questions:
1/ Who owns the react dependency?
2/ Which dependencies do not have an owner?
3/ Which dependencies are owned by the @elastic/kibana-security team?
4/ Generate a full dependency ownership report.

./scripts/check-dependency-ownership [--owner=<owner>] [--dependency=<dependency>] [--missing-owner]

The script should output its result in JSON format.