Set up Renovate to Automate JavaScript Dependency Updates

To ensure that the 3rd-party JavaScript packages we depend on get updated routinely (for security patches, bug fixes, etc.), we use Renovate to regularly create pull requests that update them. To add Renovate to a repository with a package.json file:

  1. File an ARCHBOM ticket asking for Renovate to be enabled for the repository by adding it to the list of repositories at the bottom of the Renovate GitHub App settings .

  2. Review the auto-generated configuration PR and make any appropriate changes.  Here are a few examples: edx-platform, pa11ycrawler, paragon (updated here). Note that if the repository already has a Renovate configuration in renovate.json or package.json, that will be used and no PR will be created.

  3. Merge the configuration PR.  Renovate will soon start generating PRs according to the specified preferences and schedule.

For more context and historical notes on choosing this service, see the “Rationale” section below.

For details on configuring the bot, see the renovate doc.

Automerging and Required Reviews

If your repository requires PRs to have an approving review before merge, and you wish to use Renovate’s automerge features, you can use Renovate Approve to accomplish this: https://github.com/apps/renovate-approve

Renovate can’t approve its own PRs, and so will otherwise be unable to merge them. Renovate Approve automatically approves any PRs that Renovate generates, allowing automerges to be processed normally.

Rationale

To ensure that the 3rd-party JavaScript packages we depend on get updated routinely (for security patches, bug fixes, etc.), we use a service to regularly create pull requests that update them.  These pull requests notify us that the dependency has been updated and trigger test runs to check if the dependency can be safely upgraded without breaking functionality.  We now use Renovate for this (after an earlier experiment with Greenkeeper).

Why we use a service like this:

  • Security problems are occasionally found in packages we use, and we want to upgrade to versions that fix them as soon as possible to avoid being targeted by attacks

  • It's not uncommon to spend hours debugging a problem which turns out to be a bug in a package which was already fixed in a newer release

  • Upgrading existing dependencies in a pull request to add a feature or fix a bug distracts reviewers from the actual changes that had to be made

  • Manually creating pull requests to upgrade dependencies (and circling back to check the results) is an inefficient use of developer time given that this is easily automated

  • It's free for open source repositories, so there's no monetary cost involved (there is a modest fee if we start using it on private repositories)

Renovate also supports other types of dependencies (such as Python packages, Docker base containers, etc.), but we can evaluate that independently of which tool to use for JS dependency upgrades.  It also has far more configuration options than we probably need, and supports using shared base configuration from an npm package or another git repository to avoid needing to update the configuration in every repository when making changes.

Notes on Alternatives

Things we didn't like about Greenkeeper after using it for a while, which Renovate at least partially addresses:

  • Each package to be upgraded got its own pull request on every release, which was good for identifying the root cause of a test failure but resulted in a pretty high volume of PRs that needed to be reviewed (especially in repositories which normally don't need to be updated very often).  Renovate has configuration options to set the frequency of checking for new dependency releases, and to allow related packages to be updated in the same pull request.  This may delay notification of security patch releases or make it harder to identify the exact cause of a test failure, but also makes it less likely that the PRs will be simply ignored for lack of time to deal with them all.

  • package-lock.json was updated with each pull request, which often caused merge conflicts as different PRs changed the file in slightly incompatible ways.  Some of the Renovate configuration options can make such conflicts less frequent, and when auto-merging is enabled (for specific packages when tests pass), it automatically rebases other pending pull requests.

Greenkeeper was discontinued in June 2020, and they recommended switching to Snyk . We can evaluate Snyk as an alternative at some point, but haven’t felt a need to do so yet.