Use the newest libraries and automatically update your dependencies

Muggle-born
4 min readMay 15, 2022

--

Whether it’s a personal project or your companies’ code base, updating dependencies and keeping versions up-to-date can be tedious. Save yourself, your team, and other developers time by automating the whole process!

Today we’re going to look at a way to automate dependency updates so you never have to think about updating them again.

Manually Updating Dependencies

Before we dive into automation, let’s look at a simple process I have used to manually update dependencies:

  1. Open your terminal in your project directory
  2. Run npm outdated to generate a list of outdated packages
  3. Checkout a new feature branch that you’ll update dependencies on git checkout -b muggleborn/update-deps
  4. Run npm update --save to update packages or leverage a third-party tool to update packages like npx npm-check-updates -u
  5. Save and commit your changes, then push your branch to GitHub, and create a PR.

As of developer on the team tasked with maintaining dependencies and keeping them up-to-date, this simple process can be quite a time sink. How are you supposed to know new versions of libraries are released? What if your team has already ruled out updating a package, but a never developer joins the team and wastes several hours trying to update it?

Inspired by the questions above, and many others, I searched the web and discovered Renovate — the tool I’d like to talk about today.

Using Renovate to Automatically Update Dependencies

Renovate is a multi-platform and multi-language tool for automating dependencies.

Why use Renovate?

  • Get pull requests to update your dependencies and lock files — supports auto-merging and rebasing to resolve merge conflicts.
  • Reduce noise by scheduling when Renovate creates PRs and how many are created.
  • You can customize the bot’s behavior with configuration files.
  • Share your configuration with ESLint-like config presets.
  • Supported on various platforms: GitHub (.com and Enterprise Server), Gitlab (.com and CE/EE), Bitbucket (Cloud and Server), and more.
  • Open source.

What do PRs look like?

The section below contains images of PRs created by renovate. Note, the content displayed in your PRs is highly customizable.

Renovate PR: updating dependency postcss from 8.1.6 to 8.2.10 to resolve a security vulnerability. Using the renovate with no custom configuration file.
Renovate PR: updating all non-major dependencies in one PR because the ‘group:allNonMajor’ preset is in the renovate configuration file.
Renovate PR: updating React from 16.14.0 to 18.1.0 with release notes included in the PR description because this PR has potentially breaking changes (a major version changed).
Renovate Dependency Dashboard: shows an overview of the state of your repositories’ dependencies. Includes open, queued, and closed PRs.

Setting up Renovate for your Repository

In the section below I’ll describe how you can setup Renovate using GitHub actions for a repository. You can also install Renovate as a GitHub app, use the rennovate cli from npm, and more

Create a .github/renovate.json file in your repository which holds the renovate configuration. Note, the configuration shown below is as simple as it gets. Read the configuration options to learn more about all the configuration options available

{
"extends": [
"config:base"
]
}

Create a .github/workflows/dependencies.yml file in your repository which holds the Github Renovate Action. The configuration below uses a cron timer to will run renovate every two hours, Monday — Friday.

name: Renovate# Controls when the workflow will run
on:
schedule:
- cron: '0 0/2 * * MON-FRI'

jobs:
# This workflow contains a single job called "rennovate"
renovate:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3.0.2
- name: Self-hosted Renovate
uses: renovatebot/github-action@v32.52.1
with:
configurationFile: .github/renovate.json
token: ${{ secrets.RENOVATE_TOKEN }}
env:
LOG_LEVEL: 'debug'

Generate a personal access token, with the repo:public_repo scope for only public repositories or the repo scope for public and private repositories, and add it to Secrets (repository settings) as RENOVATE_TOKEN. This token is only used by Renovate, see the token configuration, and gives it access to the repositories. The name of the secret can be anything as long as it matches the argument given to the token option.

If you want the option to manually run your GitHub action, I recommend using on: workflow_dispatch (instead of schedule: cron) as documented by GitHub.

Additional Resources

--

--

Muggle-born
Muggle-born

Written by Muggle-born

Hi, my name is Jeremiah. I build things on the web for fun. I enjoy figuring how and why things work the way they do, and I try teaching others along the way.

No responses yet