Automate upgrades of vendored Speedcurve Lux JS library

[bilbof]

Currently our in-hours on call rota has a critical alert because this library has had a new version released, as a result of https://github.com/alphagov/govuk-puppet/pull/11339.

To resolve the alert we would need to upgrade the vendored code to use the latest version. A previous upgrade as an example: https://github.com/alphagov/govuk_publishing_components/pull/2152.

The 2nd line developers are not the appropriate team to upgrade this dependency. It would be better to find a service/team-specific alternative approach to raising an alert at the platform level. For instance, we could investigate using Dependabot or similar.

[injms]

I'm currently upgrading the library manually, so the alert should go away once this has been done.

Totally agree that this should be a thing to automate - it might be a touch tricky as it won't be a straightforward copy and past across, since there are a few settings that currently need to be added, but I'll have a look and see what can be done.

[ChrisBAshton]

There's now a Trello card to move the monitoring of this, to a dedicated team.

https://trello.com/c/7gmCm7KX/265-create-a-way-to-check-and-notify-when-the-speedlux-curve-js-version-needs-updating

[andysellick]

Recent events have made me skeptical that an automated upgrade system is possible, due to the complexity and changing nature of this code. I'm tempted to close this issue as unsolvable.

On the brighter side, the git repo for this code has been made public: https://github.com/SpeedCurve-Metrics/lux.js so anyone can now watch the repo for any new releases.

Also we have tool running in slack in #user-experience-measurement-govuk-robot-invasion that notifies us when a new version is ready.

[andysellick]

As previously mentioned, I don't think automating this is possible, so I'm closing this issue.