Set up Renovate to Automate JavaScript Dependency Updates

To ensure that the 3rd-party JavaScript packages we depend on get updated routinely (for security patches, bug fixes, etc.), we use Renovate to regularly create pull requests that update them. To add Renovate to a repository with a package.json file:

  1. File an ARCHBOM ticket asking for Renovate to be enabled for the repository by adding it to the list of repositories at the bottom of the Renovate GitHub App settings .

  2. Review the auto-generated configuration PR and make any appropriate changes.  Here are a few examples: edx-platform, pa11ycrawler, paragon (updated here). Note that if the repository already has a Renovate configuration in renovate.json or package.json, that will be used and no PR will be created.

  3. Merge the configuration PR.  Renovate will soon start generating PRs according to the specified preferences and schedule.

For more context and historical notes on choosing this service, see https://openedx.atlassian.net/wiki/spaces/TE/pages/939459794.

For details on configuring the bot, see the renovate doc.

Automerging and Required Reviews

If your repository requires PRs to have an approving review before merge, and you wish to use Renovate’s automerge features, you can use Renovate Approve to accomplish this: https://github.com/apps/renovate-approve

Renovate can’t approve its own PRs, and so will otherwise be unable to merge them. Renovate Approve automatically approves any PRs that Renovate generates, allowing automerges to be processed normally.