-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Show changelogs for lock file maintenance #7536
Comments
There may be an issue for this open already (I recall it being discussed). We could may parse the lock file after and at least compare top level dependency changes. The full transitive change list could be pretty long and too much noise for most. |
This issue looks kinda similar, or is at least related I think: #7279. |
I opened an issue about this in config-help a while ago: renovatebot/config-help#826 |
If a repo runs lockfile maintenance every week, the change list is probably short enough. Maybe enabling the change list could be an additional option if some people would want to disable it. |
Someone will need to define a mockup of how the markdown should look, e.g. using a real lock file maintenance example PR. If it was only a "diff" that was needed, you don't need Renovate to do that because GitHub does a fine job. So assuming there's an expectation of a "user-friendly" view of the changes, then we would need to know what exactly that is. Remember that packages can be present more than once transitively, so it's not as simple as "package X was updated from v1.0.0 to v1.2.0". A package could be added or removed more than once, updated more than once, etc. |
It can use the "path" to the dependency that is being updated to identify each separate instance of the dependency. As reference, Below is what I think it could look like. This PR contains the following updates:
🔧 This Pull Request updates lock files to use the latest dependency versions. Release Notesjfromaniello/selfsigned... node-fetch/node-fetch... |
As @rarkins said, those lists can be get pretty big. Even if you enable weekly maintenance. If you have a lot of deps like we have, nearly every lockfile maintenance is big. |
@frangio it's missing "using a real lock file maintenance example PR" including packages added, removed, present more than once, etc. |
Here's an example: https://github.com/renovatebot/renovate/pull/7551/files |
I'm trying to create a proper GitHub Flavored Markdown mock-up, based on the real lockfile diff @rarkins posted above. I'm struggling to understand what changes/updates/removals we want to show to the end-user of Renovate. @rarkins said this:
The |
You can see my in progress work here: https://github.com/HonkingGoose/renovate-issue-7536 |
You'd need to cross reference the lock file against the package.json entries |
I'm waiting on a good example on how to proceed with my work over at my fork: HonkingGoose/renovate-issue-7536#3 (comment) So I'm labeling this blocked, as I'm not making any progress on this until I get a basic example that I can then extend from. |
I saw that GitHub themselves have also made a nice overview, it's called Steps:
Relevant GitHub blog post: https://github.blog/2020-12-08-new-from-universe-2020-dark-mode-github-sponsors-for-companies-and-more/#dependency-review |
The button you're looking for is on the right of the This link takes you to the screen I'm talking about: |
I think this is the issue you meant: #651 Do you want to close my issue as a duplicate? |
Duplicate of #651 |
What would you like Renovate to be able to do?
I would like the lock file maintenance pull requests to show me the change logs for the dependencies that are upgraded/added to the lock file.
The problem is that I don't have any easy way to check what the dependency upgrades/additions in the lock file are changing. I need to manually look around for the change logs for each peer dependency in the
yarn.lock
orpackage-lock.json
.Did you already have any implementation ideas?
The lock file maintenance pull request seems similar to a grouped updated PR, maybe you can re-use parts of the grouped-updates logic?
Are there any workarounds or alternative ideas you've tried to avoid needing this feature?
I can manually search for lock file change logs like I do now anyways.
Is there some other way to get part-way there, by using a different configuration for Renovate?
I'm using a really bare-bones
renovate.json
file right now, so maybe I'm missing some kind of setting/toggle that I can use to get closer to my desired behavior?Maybe you can re-jig the logic for pull requests to open separate pull requests for each
yarn.lock
orpackage-lock.json
dependency change? That might be easier than fetching/bundling change logs for all changed dependencies in the lock file...Is this a feature you'd be interested in implementing yourself?
I cannot help with programming this.
The text was updated successfully, but these errors were encountered: