Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add renovate and bolt for auto-package updates, and CVE's #36

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

davidzwa
Copy link

@davidzwa davidzwa commented Oct 23, 2023

Fixes #33
Might fix #34

  • Add Mend Renovate as a bot (here)
    • Setting: pull-request requirement should be enabled (optional)
    • Required actions to complete CI (optional)
    • Pin the npm package versions (required, this is how Renovate works best: it will take over specific versions automatically)
  • Add Mend Bolt (https://github.com/marketplace/whitesource-bolt) as a bot
    • Add Mend for CVE detected (if not wanted, let me know. I can revert this)
    • Mend was previously known as Whitesource

What will happen?

  • A lot of PRs will open up at first. This is normal for a first start.
  • At a daily schedule package-lock PRs will be created to update lock file dependencies 🥳
  • A Renovate dashboard issue will appear tracking all open PRs
  • CVE's will be made (and closed automatically when resolved on main to keep users informed about their status)

In case of questions about Renovate and/or Bolt. Please ask away!

@davidzwa davidzwa changed the title Add renovate and whitesource for auto-package updates, and CVE's Add renovate and bolt for auto-package updates, and CVE's Oct 23, 2023
@anttiviljami
Copy link
Member

anttiviljami commented Nov 11, 2023

Hi @davidzwa thanks for the PR!

Renovate looks like an interesting alternative to Dependabot, which doesn’t seem to do its job on this repo for whatever reason.

Can you explain why renovate works best with pinned dependency versions?

This change is currently causing a conflict that’s preventing the merge.

As a library author pinned versions are generally a no no since we actually want library consumers to use the latest, safe versions of all library deps.

I think this change would mean that users of openapicmd have to now manually override dependency versions using overrides or resolutions in their package.lock, or wait for a new openapicmd release to get updated deps (e.g. for openapi-client-axios-typegen).

Otherwise LGTM.

@davidzwa
Copy link
Author

davidzwa commented Nov 12, 2023

Hi @davidzwa thanks for the PR!

Renovate looks like an interesting alternative to Dependabot, which doesn’t seem to do its job on this repo for whatever reason.

Can you explain why renovate works best with pinned dependency versions?

Good question! I just looked it up to be sure. They actually do not require it like I initially thought 👍🏼
https://docs.renovatebot.com/dependency-pinning/#so-whats-best

So my follow-up question is: shall we pin the devDependencies? Those are not required for external use.

This change is currently causing a conflict that’s preventing the merge.

As a library author pinned versions are generally a no no since we actually want library consumers to use the latest, safe versions of all library deps.

I agree.

I think this change would mean that users of openapicmd have to now manually override dependency versions using overrides or resolutions in their package.lock, or wait for a new openapicmd release to get updated deps (e.g. for openapi-client-axios-typegen).

Yeah not a workable solution. See answer above

Otherwise LGTM.

Will fix the conflict now

@davidzwa
Copy link
Author

davidzwa commented Nov 12, 2023

I've completely removed and re-locked with NPM. There is quite a lot of wiggle room, which also could lead to bugs later as users might have a different set of packages installed.

@anttiviljami we should discuss the non-pinning range strategy next. Could you take a look at these 3 sections:

Viable options in my opinion are: bump, replace, widen, update-lockfile and in-range-only.
I suggest to set dependencies to update-lockfile as it a balanced option (not too conservative but wont also be stuck in the range).
I suggest to set devDependencies to pin or auto.

@davidzwa
Copy link
Author

@anttiviljami interested in your review.

@anttiviljami
Copy link
Member

Segfault during tests 🤔

Any idea @davidzwa ?

@w3nl
Copy link

w3nl commented Sep 23, 2024

Renovate doesn't need pinned versions in your package.json
I work with renovate without pinnen versions.
The lock file is the place to pin a version.

If you pin dependencies in your package, know that users are forced to use that pinnen version.
If there is a bugfix in a dependency, you have to update your dependency also.
So if you pin, you have to release more often to keep it up-to-date.
I personally don't like packages that pin versions, because I have to wait till that package will release a new version with the updated dependency.

So be careful to pin dependencies.
It is not needed for renevate.
Check what is the best for the users of your package.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Outdated packages like @oclif/*, cli-ux, koa-proxy, and some more Package typegen missing from cli
3 participants