Show changelogs for lock file maintenance

[HonkingGoose]

What would you like Renovate to be able to do?

I would like the lock file maintenance pull requests to show me the change logs for the dependencies that are upgraded/added to the lock file.

The problem is that I don't have any easy way to check what the dependency upgrades/additions in the lock file are changing. I need to manually look around for the change logs for each peer dependency in the yarn.lock or package-lock.json.

Did you already have any implementation ideas?

The lock file maintenance pull request seems similar to a grouped updated PR, maybe you can re-use parts of the grouped-updates logic?

Are there any workarounds or alternative ideas you've tried to avoid needing this feature?

I can manually search for lock file change logs like I do now anyways.

Is there some other way to get part-way there, by using a different configuration for Renovate?
I'm using a really bare-bones renovate.json file right now, so maybe I'm missing some kind of setting/toggle that I can use to get closer to my desired behavior?

Maybe you can re-jig the logic for pull requests to open separate pull requests for each yarn.lock or package-lock.json dependency change? That might be easier than fetching/bundling change logs for all changed dependencies in the lock file...

Is this a feature you'd be interested in implementing yourself?

I cannot help with programming this.

[rarkins]

There may be an issue for this open already (I recall it being discussed).

We could may parse the lock file after and at least compare top level dependency changes. The full transitive change list could be pretty long and too much noise for most.

[HonkingGoose]

This issue looks kinda similar, or is at least related I think: #7279.

[frangio]

I opened an issue about this in config-help a while ago: renovatebot/config-help#826

[frangio]

The full transitive change list could be pretty long and too much noise for most.

If a repo runs lockfile maintenance every week, the change list is probably short enough.

Maybe enabling the change list could be an additional option if some people would want to disable it.

[rarkins]

Someone will need to define a mockup of how the markdown should look, e.g. using a real lock file maintenance example PR. If it was only a "diff" that was needed, you don't need Renovate to do that because GitHub does a fine job. So assuming there's an expectation of a "user-friendly" view of the changes, then we would need to know what exactly that is. Remember that packages can be present more than once transitively, so it's not as simple as "package X was updated from v1.0.0 to v1.2.0". A package could be added or removed more than once, updated more than once, etc.

[frangio]

It can use the "path" to the dependency that is being updated to identify each separate instance of the dependency. As reference, npm audit will show paths like these in its output: webpack-dev-server > selfsigned > node-forge.

Below is what I think it could look like.

---

This PR contains the following updates:

Dependency	Update	Change
webpack-dev-server > selfsigned	patch	1.10.7 -> 1.10.8
node-fetch	minor	2.4.0 -> 2.6.1
other-package > node-fetch	minor	2.3.0 -> 2.6.1

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Release Notes

jfromaniello/selfsigned

...

node-fetch/node-fetch

...

[viceice]

As @rarkins said, those lists can be get pretty big. Even if you enable weekly maintenance.

If you have a lot of deps like we have, nearly every lockfile maintenance is big.

[rarkins]

@frangio it's missing "using a real lock file maintenance example PR" including packages added, removed, present more than once, etc.

[rarkins]

Here's an example: https://github.com/renovatebot/renovate/pull/7551/files

[HonkingGoose]

I'm trying to create a proper GitHub Flavored Markdown mock-up, based on the real lockfile diff @rarkins posted above. I'm struggling to understand what changes/updates/removals we want to show to the end-user of Renovate.

@rarkins said this:

We could may parse the lock file after and at least compare top level dependency changes. The full transitive change list could be pretty long and too much noise for most.

The yarn.lock file shows a lot of dependencies, but all those dependencies have sub-dependencies and optional dependencies as well. How can I see what are top-level dependency changes?

[HonkingGoose]

You can see my in progress work here: https://github.com/HonkingGoose/renovate-issue-7536

[rarkins]

You'd need to cross reference the lock file against the package.json entries

[HonkingGoose]

I'm waiting on a good example on how to proceed with my work over at my fork: HonkingGoose/renovate-issue-7536#3 (comment)

So I'm labeling this blocked, as I'm not making any progress on this until I get a basic example that I can then extend from.

[HonkingGoose]

I saw that GitHub themselves have also made a nice overview, it's called Dependency review.
Maybe we can use that as a basis for figuring out what our screen should show?
Or would that be illegal copy/paste?

Steps:

1. Go to https://github.com/renovatebot/renovate/pull/7551/files
2. Click on the "rich diff" button
3. You should see a screen that details all the changes.

Relevant GitHub blog post: https://github.blog/2020-12-08-new-from-universe-2020-dark-mode-github-sponsors-for-companies-and-more/#dependency-review

[rarkins]

I don't have any "rich diff" button:

[HonkingGoose]

The button you're looking for is on the right of the < > button. It's the button with the "file icon" in it.

This link takes you to the screen I'm talking about:
https://github.com/renovatebot/renovate/pull/7551/files?short_path=51e4f55#diff-51e4f558fae534656963876761c95b83b6ef5da5103c4adef6768219ed76c2de

[HonkingGoose]

There may be an issue for this open already (I recall it being discussed).

I think this is the issue you meant: #651

Do you want to close my issue as a duplicate?

[HonkingGoose]

Duplicate of #651