Radashi
Proposal to Implement a Dependency Update Tool #170
Replies: 3 comments 4 replies
-
|
The only thing I don't like about dependency update bots is the PR spam. I found an interesting HN discussion where an Algolia dev linked to bodinsamuel/renovate-automatic-branch. Basically, you can set up a cron job in GitHub actions to “bundle” all of the updates into one PR every so often (e.g. every Friday). It still uses Renovate by the way. This seems like a good direction to take. It's been a while since I've perused the Renovate docs, so maybe they have official support for such a strategy these days? Don't know. |
Beta Was this translation helpful? Give feedback.
-
|
Good. I like the idea of setting it up weekly so we have to analyze updates. It would even save CI minutes. I'll take a look at both projects to launch a PR later. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
@MarlonPassos-git Do you have any experience with Snyk? Would it benefit Radashi to use it, or is Renovate enough as far as security vulnerabilities go? |
Beta Was this translation helpful? Give feedback.
-
|
I've never used Snyk, but at work, we use SonarQube, which, I think, is similar. From my perspective, these tools are more focused on analyzing the quality/security of the code we write rather than the dependencies themselves. To improve dependency security, we could configure Renovate to recommend updates only for dependencies that are over 30 days old and have a high confidence level. |
Beta Was this translation helpful? Give feedback.
-
|
Out of curiosity, I ran Snyk on the project, and here’s what I found.
something that don't impact de project since it’s related to an internal script |
Beta Was this translation helpful? Give feedback.
-
I like that idea. Didn't know we could do that 😮 |
Beta Was this translation helpful? Give feedback.
-
In our project, we use several libraries, and occasionally, new versions are released. Since our project is already fully covered by tests, we believe it would be very helpful to adopt a tool to assist us in keeping dependencies up to date.
In professional experiences, I used Renovate, which proved to be quite effective in this task.
Beta Was this translation helpful? Give feedback.
All reactions