Do you use a bot to manage your project's dependencies?

I am currently thinking about the best way to organize libraries in my team's projects.

A colleague of mine has set up renovate to update dependencies automatically, which seems very optimistic to me: you have to trust that updating the dependency does not break the code. Even if you configure renovate to update dependencies only when the semantic version update is a minor or bugfix.

Renovate floods my github notifications, especially when the dependencies are internal libraries that we often update because we are in the development phase.

I smell something wrong in it and I would like to catch advices from different point of view.

a small part of my github notification

Start a personal dev blog on your domain for free and grow your readership.

3.4K+ developers have started their personal blogs on Hashnode in the last one month.

Write in Markdown 路 Publish articles on custom domain 路 Gain readership on day zero 路 Automatic GitHub backup and more

Marco Alka's photo

Imho, if it's not broken, don't fix it.

Here's what I use for some of my libs: There are bots which only automatically update dependencies when security issues become known (I use Snyk). They create pull requests and you can handle them when you have time. If you have good CI, then every pull request should also automatically be checked (for example on Travis), so that all tests pass. That also means that you need to have extensive unit tests for your library or application.

Show +2 replies
Enguerran's photo

The very recent eslint-scope adventure shows us that CI and 100% test coverage are not enough to automate dependency updates, even minor versions.

Marco Alka's photo

Enguerran yes, you also need devs who are strict about semver plus downstream tests (what Google does)

Eric BREHAULT's photo

When working with dependencies in dev mode, I use mr-developer which allows to use a given git tag or branch of a dependency directly into the project instead of an actual NPM package.


Enguerran's photo

Thanks Eric, I did not know aboyut python/mr.developer. We should take a look at nodejs/mr.developer to adapt it to our development flow. Even if it did not answer the question in application maintenance: when and how do you update your dependencies? And corollary: what should be the commit message prefix? fix? feat? core? I vote feat as it change production code.

Eric BREHAULT's photo

I update them manually, and it is a fix not a feature as it does not produce any change the user can see.

Rhys Arkins's photo

You can use branch automerge instead of PR automerge for internal dependencies like that, and skip the notifications. Alternatively use for better notification filtering than GitHub's native interface.