-
-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automate dependency upgrades within SemVer range #722
Automate dependency upgrades within SemVer range #722
Conversation
This configures RenovateBot to 1. manage all dependencies, 2. upgrade all dependencies within SemVer range at once weekly by recreating `yarn.lock`, 3. merge such upgrades within SemVer range automatically if tests are passing. RenovateBot will continue to create separate merge requests for every dependency upgrade, which requires a change to the SemVer range. Such dependency upgrades need to be reviewed and merge manually. This also helps to avoid running into a bug of RenovateBot, which causes `yarn.lock` files with missing `resolved` and `integrity` members for a dependency: renovatebot/renovate#13804 Relevant parts from RenovateBot documentation for used presets and configuration options: > `lockFileMaintenance` > > This feature can be used to refresh lock files and keep them up-to-date. "Maintaining" a lock file means recreating it so that every dependency version within it is updated to the latest. > > https://docs.renovatebot.com/configuration-options/#lockfilemaintenance > :maintainLockFilesWeekly > > Run lock file maintenance (updates) early Monday mornings > > https://docs.renovatebot.com/presets-default/#maintainlockfilesweekly > :preserveSemverRanges > > Preserve (but continue to upgrade) any existing SemVer ranges > > https://docs.renovatebot.com/presets-default/#preservesemverranges
Seems reasonable. Slightly nervous about the auto merging but I'll get used to it. It's not like releases are being cut automatically. Feel free to merge when ready.
This has been my experience too. |
I know that feeling. But do you review changes in |
💀
I mostly read the changelogs. Only other "safety" I can think of is that I often use ember-cli-dependency-lint. |
@gilest How is your experience with this configuration so far? Wondering if it should be proposed for other addons as well. |
I'm considering:
This is great.
Never mind – it only automerges the lockfile updates
Haven't tried to update these packages, but a single PR is definitely better. Similar problem to above where I'd like to include additional changes in the dependency update branch. Not sure what best approach is here. |
@jelhan further update to this. Now that the addon is almost completely "modern" and up to date with its dependencies this system is working very well. I would recommend it to addon authors 👍🏻 |
This configures RenovateBot to
yarn.lock
,RenovateBot will continue to create separate merge requests for every dependency upgrade, which requires a change to the SemVer range. Such dependency upgrades need to be reviewed and merge manually.
This also helps to avoid running into a bug of RenovateBot, which causes
yarn.lock
files with missingresolved
andintegrity
members for a dependency: renovatebot/renovate#13804Ignoring Ember dependencies is not needed anymore. This was needed earlier because Ember CLI Update determined the version of the blueprints to upgrade based on the
ember-cli
dependency version in the project. This has been replaced by anember-cli-update.json
, which contains information about latest blueprint upgrades. Also compatibility of dependencies with different Ember version has been improved a lot in the last years. No need to upgrade all of them with Ember CLI Update. The latest versions work very well in my experience even if SemVer ranges in blueprints are not yet upgraded to use them.Relevant parts from RenovateBot documentation for used presets and configuration options: