Problems with manual dependency updates
Checking the versions of dependencies in a project’s source code is typically a manual task. This can lead to the continued use of deprecated or insecure dependencies until a manual update takes priority. However, this manual process can be time-consuming and prone to oversight. To alleviate this burden, developers can automate dependency updates using a tool called Renovate. By simply adding a Renovate configuration file, the tool can be scheduled to run automatically. It scans relevant package or configuration files (e.g.,
repositories.txt) and opens pull requests with the updated dependency versions. This not only reduces manual work but also encourages the adoption of automated tests. These tests can be run after the dependency versions are bumped, ensuring the changes are verified before merging the pull request that Renovate auto-opens.
How Renovate works?
Renovate keeps source code dependencies up-to-date using automated Pull Requests. It will scan repositories for package manager files (e.g. from npm/Yarn, Bundler, Composer, Go Modules, Pip/Pipenv/Poetry, Maven/Gradle, Dockerfile/k8s, and many more), and submit Pull Requests with updated versions whenever they are found.
It’s worth noting that Renovate supports Bitbucket, GitHub, GitLab, etc… or any other cloud based repository hosting services (e.g. Azure Devops). Renovate can be self hosted or its GitHub hosted app used. In addition to self-hosting, each git repository needs a configuration file which basically lists source code files where dependency versions are present and how to update them.
How to use Renovate
I’d suggest to use Renovate in the following way:
– configure auto-merge of non-major dependencies versions
– disable auto merge on major versions, just open prs
You can see a demo of using Renovate at my GitHub linode-cli repository. After I added Renovate basic configuration file and added Renovate GitHub app in the repository settings, it had opened pull requests nightly with dependency updates.
That’s it about automating software dependency updates using Renovate. As always, feel free to share.
If you found this article useful, take a look at the disclaimer for information on how to thank me.
You may also find below articles interesting: