Dependency updates with Renovate
See original GitHub issueHi folks! I’ve noticed that several dependencies are out of date, sometimes causing warnings when running npm install
.
I noticed that you already use Snyk at open-wc
. Snyk has the ability to automatically keep dependencies up-to-date. Can we use this to keep dependencies up-to-date in open-wc/open-wc
and modernweb-dev/web
?
I don’t see any documentation about whether Snyk works with monorepos. If Snyk doesn’t work, Dependabot works with monorepos according to their website. I like Dependabot due to using it on a Ruby project I help maintain.
I think we should use something to keep dependencies up-to-date, and I would prefer it to be automated since there are so many individual packages.
updates available as of 2020-10-26
$ npx npm-check-updates
Checking /Users/stephen/temp/web/package.json
[====================] 35/35 100%
@changesets/cli ^2.9.2 → ^2.11.1
@rollup/plugin-node-resolve ^8.4.0 → ^9.0.0
@rollup/plugin-typescript ^5.0.2 → ^6.0.0
@types/chai ^4.2.11 → ^4.2.14
@types/node ^14.6.0 → ^14.14.5
@types/sinon ^9.0.4 → ^9.0.8
@typescript-eslint/eslint-plugin ^3.7.0 → ^4.6.0
@typescript-eslint/parser ^3.7.0 → ^4.6.0
alex ^8.1.1 → ^9.0.1
concurrently ^5.2.0 → ^5.3.0
eslint ^7.5.0 → ^7.12.0
eslint-config-prettier ^6.11.0 → ^6.14.0
husky ^1.0.0 → ^4.3.0
lint-staged ^10.3.0 → ^10.5.0
mocha ^8.1.1 → ^8.2.0
prettier ^2.0.5 → ^2.1.2
prettier-plugin-package ^1.0.0 → ^1.2.0
remark-cli ^8.0.1 → ^9.0.0
remark-lint ^7.0.1 → ^8.0.0
remark-preset-lint-recommended ^4.0.1 → ^5.0.0
rollup ^2.20.0 → ^2.32.1
rollup-plugin-terser ^6.1.0 → ^7.0.2
sinon ^9.0.2 → ^9.2.0
ts-node ^8.10.2 → ^9.0.0
typescript ^4.0.0 → ^4.0.5
npm@7 output when running npm install
$ npm i
npm WARN deprecated @types/vfile@4.0.0: This is a stub types definition. vfile provides its own type definitions, so you do not need this installed.
npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated flat@4.1.0: Fixed a prototype pollution security issue in 4.1.0, please upgrade to ^4.1.1 or ^5.0.1.
npm WARN deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address'
npm WARN deprecated rollup-plugin-babel@4.4.0: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-babel.
npm WARN deprecated @types/globby@9.1.0: This is a stub types definition. globby provides its own type definitions, so you do not need this installed.
npm WARN deprecated smartwrap@1.2.5: Backported compatibility to node > 6
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @web/dev-server-cli@0.0.3: This packages is merged into @web/dev-server
npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'
npm WARN deprecated popper.js@1.16.1: You can find the new Popper v2 at @popperjs/core, this package is dedicated to the legacy v1
npm WARN deprecated core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
...
Issue Analytics
- State:
- Created 3 years ago
- Comments:14 (13 by maintainers)
Top Results From Across the Web
renovatebot/renovate: Universal dependency update ... - GitHub
Universal dependency update tool that fits into your workflows. - GitHub - renovatebot/renovate: Universal dependency update tool that fits into your workflows.
Read more >Renovate Docs | Renovate Docs
Automated dependency updates. Multi-platform and multi-language. Why use Renovate?¶. Get pull requests to update your dependencies and lock files; Reduce noise ...
Read more >Mend Renovate: Automated Dependency Updates
Renovate is a free tool by Mend that allows automating dependency updates in software projects. Fully customizable with a setting to suit every...
Read more >Renovate: Dependency Management - Medium
As shared above, Renovate is a free open-source tool to automate dependency updates for software projects. It can detect dependencies in a repository...
Read more >Renovate: Dependency updates on steroids - LogRocket Blog
Renovate is an open source project designed to update dependencies automatically. It scans the package files (e.g., package.json , pom.xml ) ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Re: @vlilloh and @abdonrd suggesting Dependabot
While testing Dependabot, I discovered that the new Dependabot (native to GitHub) does not support automatically merging packages. I don’t know how long the legacy version of Dependabot (which supports auto-merging) will still be around, so I wouldn’t want to use it here. This is a huge strike against Dependabot, and I think we should move forward with using Renovate.
https://github.com/dependabot/dependabot-core/issues/1973#issuecomment-640918321
That sounds like a good approach 👍