Use greenkeeper to automatically keep npm deps up to date

[diracdeltas]

https://greenkeeper.io/

[alexwykoff]

@bbondy @diracdeltas is this still an issue or will we end up switching to yarn?

[luixxiul]

Greenkeeper 2 has been released since May.

https://blog.greenkeeper.io/greenkeeper-2-0-release-da8f8f476c88

Feature shortlist

💰 New entry-level pricing model:
Start with Greenkeeper from $25 for 10 private repos per month on organisations or just $1.50 per private repository for personal accounts.
🤖 Uses the new GitHub Integrations API.
🔇 Less noise: Fewer GitHub notifications.
✨ Support for npm shrinkwrap.
💪 More convenient and more flexible dependency update handling.
📌 Built-in dependency pinning, for when you just don’t have time to deal with a breaking change.
🔒 Native support for scoped and private npm modules.
💳 Better payment and billing user experience.
📰 Open product roadmap.

[diracdeltas]

Greenkeeper is still useful in addition to yarn/package-lock for keeping dependencies up to date. right now npm outdated shows a lot of outdated dependencies.

[bsclifton]

Without reliable tests, upgrading should only be limited to patch and minor versions, IMO. Even then, there would be some risk. Personally, I don't have enough confidence in our webdriver tests- I don't think we're ready to do this yet

[diracdeltas]

I think that every N releases, we should update every dependency to latest stable version and lock that in package-lock, for some value of N. There should be enough time for manual testing to make sure things don't break in these releases.

[luixxiul]

It should be nice if we have automated test suite with setting the environment variable process.env.NODE_ENV to the string value production to avoid a nasty bug which @bsclifton, @jonathansampson, and @kevinlawler have solved on #10029.

[bsclifton]

Closing in favor of #1701