Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use a bot to update your dependencies #412

Open
HonkingGoose opened this issue Nov 4, 2024 · 3 comments
Open

Use a bot to update your dependencies #412

HonkingGoose opened this issue Nov 4, 2024 · 3 comments

Comments

@HonkingGoose
Copy link
Contributor

Summary

  • Many outdated dependencies on this repository
  • I tried updating your dependencies manually, but gave up
  • Using a bot to update your dependencies is easier
  • Renovate bot can be set to only create PRs when you ask for them via the Dependency Dashboard
  • I can make a config for you for Dependabot or Renovate

Manually updating is hard

I tried updating your dependencies for you, by hand, and it was really hard... So I'm giving up on that idea. Instead I want to help you with a config for a bot to update your dependencies.

History

Two years ago, I tried getting a bot config landed in this project:

You closed the PR, and said:

But yeah if this was a bigger project that i was dedicated full time to i might keep it updated, but i just dont see the need, nor do i have the time to put in.

I still think you can save time by using a bot to update your dependencies. So I'm being a bit naughty, and asking you again about this. 🙃

Bots I can help you with

Only if you want, I can create a config for one of these bots:

  • Dependabot
  • Renovate

For a comparison between Dependabot and Renovate, please read the Renovate docs, bot comparison page. That has nice tables to summarize the key differences.

Get updates on demand via Renovate's Dependency Dashboard

I recommend you try Renovate, because it allows something Renovate calls the "Dependency Dashboard Approval Workflow". How that works:

  1. You get a Issue from Renovate bot, that shows the Dependency Dashboard.
  2. You select the update you want from the Dashboard.
  3. Only after you select the update, will Renovate bot create the PR.
  4. You review the PR, and merge if good, or push the needed changes to the PR branch, and then merge.

The best thing for you, is that this way you'll only ever get normal updates when you request them. Renovate will still create update PRs for security updates though.
@deniszholob
Copy link
Owner

deniszholob commented Nov 5, 2024
edited
Loading

Will think about and consider, but rn im in the process of converting the project to angular 18 + tailwind anyways so a bunch of stuff will change, just a lot on my plate rn, trying to balance my time with everything while also trying to enjoy playing some space age haha. Maybe we can revisit this after im done with the upgrade.
I do appreciate the details and links to make my research easier

@hymccord
Copy link

I'm more in line with, if it isn't broken don't fix it.

I have Dependabot in a few of the repos I help manage and it just gets annoying after some time. Renovate does sound better but it requires app installation (whatever that means) or self-hosting.

@HonkingGoose
Copy link
Contributor Author

HonkingGoose commented Nov 13, 2024
edited
Loading

A quick heads up before you start: I help to maintain the Renovate docs in my free time. So I obviously like using Renovate, and like contributing to that project. 😉

Only fix when broken is harder than updating often

I'm more in line with, if it isn't broken don't fix it.

Here's the page I wrote for the Renovate docs to explain why I think updating often is better: Renovate docs, why updating often is easier, faster and safer.

Renovate app installation concerns

Renovate does sound better but it requires app installation (whatever that means) or self-hosting.

In general the choice is between full control and ease of use. Self-hosting gives you full control, but means you need to update the bot itself, and manage more things. Letting somebody else host the app is easier, but you don't have full control.

I'll link to the docs, and let you make your own choices.

Security and permission model for the hosted app

Read the Renovate docs, Security and Permission page to learn more about the permissions of the bot, and the security stance of the project.

How to install Renovate (or self-host it)

Read the Renovate docs, installing and onboarding to learn how you can install and use Renovate.

If you don't like installing the app, you can self-host Renovate. This does mean you must update the bot itself regularly!

Dependabot is good too!

And Dependabot is a very good tool too! The main point is that you should use a bot to automate updating your dependencies. 😄

Bot comparison

Read the Renovate docs, bot comparison page to see a comparison between Dependabot and Renovate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hymccord @deniszholob @HonkingGoose