Keeping up with the dependencies

New libraries and frameworks are emerging daily. Faster, shinier and better versions are released containing performance improvements, new features, and bug fixes. Missing out on those can be quite a handicap for all kinds of projects.

Keeping up with frequent dependency upgrades is a challenge that we encountered at Scalable Capital. We used to keep an eye on Twitter to get notified about a new release or browse through npm or GitHub in search for latest versions. Or just wait until a deprecation warning showed up during the next npm install. But more often we just missed the newest versions and did not upgrade our dependencies at all.

Therefore we needed a more scalable solution to keep up with today’s fast-paced Node.Js ecosystem.

What we wanted is to,

  • be notified when a new version gets released
  • verify, that an upgrade would not break anything
  • upgrade as easy as possible

And it should be fully automated — obviously.

npm-check

In order to achieve that, we started using npm-check. This handy script scans through our package.json file to find outdated dependencies.

Additionally, it allowed us to select all dependencies that should be upgraded to their latest version. Hence upgrading and verifying were still manual steps.

Although, npm-check is an amazing tool that still comes in handy on a number of occasions, what we really needed was something more automated.

Renovate to the rescue!

We came across a fantastic tool called Renovate. 
According to their website: “Renovate saves you time and reduces risk in software projects by automating the tedious process of updating dependencies. Behaviour is fully customizable so there is a setting to suit everybody.” [1]

And it definitely keeps its promise. Renovate enables us to get notified when any of our dependencies got an update, validate it and upgrade to the newest release with a click of a button.

Let me show you how.

Renovate can be set up in multiple ways, as a GitHub app, Docker image or an open-source CLI tool.

We chose to go with the latter, as it fits exactly in our Jenkins based CI system.

Let’s dive in and renovate one of our projects

I will run renovate from my local machine against one of our GitHub repositories.

First of all, we give permissions to Renovate to access our repositories. For that, I will create a personal access token in my GitHub settings.

With the token, I can run Renovate in my terminal with the following command:

GITHUB_TOKEN=<my github token> npx renovate <repository name>

As easy as that!

Renovate will then scan through the dependencies of this project, find the latest versions for them, and create a new pull request for each one. Ensure you have a CI system in place, that runs all test suites and static checkers for every pull request.

And there you are, all your favorite libraries at the latest version, fully tested and with the option to merge them to master with a click of a button.

Automating Renovate CLI highly depends on the environment it is used in. 
We use Jenkins as our CI server. For us, all we had to do was to create a new job that runs the Renovate scripts periodically.

Although Renovate has the capabilities to merge those updates automatically, we decided that the final choice of a potential version upgrade should stay within our team.

Renovate supports this kind of human vanity as well. You can let Renovate set assignees and reviewers to the pull requests with a command line argument, along with a ton of other configuration options.

Conclusion

Keeping your dependencies up-to-date is crucial from many perspectives. Renovate gives us an easy way to automate what was a tedious and error-prone process in the past. This allows us to take full advantage of all those great improvements, crucial security updates and new features that are out there.

[1] https://renovatebot.com/docs visited 2018.11.23