-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch dependency management to single file of versions and Renovate #11101
Comments
https://www.whitesourcesoftware.com/free-developer-tools/renovate/ Example (and where I've watched it work):
|
From trust: I'm sold. For documentation: what are the pain points that this should fix that we currently have with dependabot? |
With dependabot, if you fork a repo, the fork runs dependabot with no way to turn it off, so your fork repo gets dependency update PRs, which is very irritating. Renovate may be disabled for forks and comes up frequently on the related "dependabot should allow disable for forks" feature request in dependabot fora This is actually a big deal for me, I hate having skew between my fork and upstream on main branch With renovate you have broader support for more package ecosystems, https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#package-ecosystem - this used to be a bigger deal but it looks like it has all the ones that matter at the moment. For react-native it doesn't do cocoapods so that's relevant to me (and thus, of value here, motivates me to commit to care and feeding of renovate) but not as relevant here |
The new way to do dependency management, with a single version catalog outside (then referenced by) your build files is "Version Catalogs" in Gradle (a https://docs.gradle.org/current/userguide/platforms.html#sub:conventional-dependencies-toml - Dependabot does not support and does not have it on their roadmap even dependabot/dependabot-core#3121 Renovate supports renovatebot/renovate#8692 (comment) |
Hello 👋, this issue has been opened for more than 2 months with no activity on it. If the issue is still here, please keep in mind that we need community support and help to fix it! Just comment something like still searching for solutions and if you found one, please open a pull request! You have 7 days until this gets closed automatically |
How time flies :-) |
I currently find it difficult to understand why a dependency was added because there's a lot of line noise: 1 change for each time the dependency is updated. This is why I proposed Looking at the output of I'm ambivalent to Rennovate, and my concern is a minor one. Does this paint us into a corner where the above issue is harder to solve? |
libs.version.toml + renovate is the state of the art, and solves these things all at once:
This is for Gradle builds only though. Package.json is the javascript ecosystem and would need a different solution |
A note on this one related to investigation on gradle-update-wrapper failing over on Anki-Android-Backend:
https://github.com/rahulsom/gradle-up gradle-update-wrapper is dead but still in use here and on Anki-Android-Backend, apparently renovate handles updating the gradle wrapper as well, which would be an added bonus of a switch to renovate |
I've been thinking of switching to renovate at same time, how about this as a separate issue - peel if you agree, I made the first sentence a good title
Renovate because it handles more ecosystems (Backend uses so many...) and it's open source and we're not super wedded to dependabot so it won't be hard to untangle. I've seen renovate in action on ACRA and it works well, plus you can disable it on forked repos (bonus, my fork's main branch won't have skew from main repo to turn off dependabot!)
Originally posted by @mikehardy in #11096 (comment)
While we're here, we should also use version catalogs
The text was updated successfully, but these errors were encountered: