bazel icon indicating copy to clipboard operation
bazel copied to clipboard
verified publisher icon bazelbuild

Add `bazel update` to update WORKSPACE package versions

Open gibfahn opened this issue 6 years ago • 12 comments

It would be useful to add a bazel update command to update WORKSPACE package versions and shasums, this would apply to http_archive() and git_repository() functions.

It would also be nice to be able to update the bazel version in the .bazelversion file to the latest stable version, but maybe that should be a bazelisk issue.

Updating versions of rules is currently a manual process. This should become easier with the bazel federation, but it still involves changing two different shasums, even if you have no other dependencies (unlikely):

http_archive(
    name = "bazel_federation",
    # Sha of archive zip.
    sha256 = "9d4fdf7cc533af0b50f7dd8e58bea85df3b4454b7ae00056d7090eb98e3515cc",
    # Sha of git commit.
    strip_prefix = "bazel-federation-130c84ec6d60f31b711400e8445a8d0d4a2b5de8",
    type = "zip",
    url = "https://github.com/bazelbuild/bazel-federation/archive/130c84ec6d60f31b711400e8445a8d0d4a2b5de8.zip",
)

Most package management systems have an automated way to update their dependencies (e.g. npm update, cargo update). The pinning rules in rules_jvm_external also support automated updates.

To do this we would have to recognise certain URL types (like https://.*\.github\.com/.*/archive/[a-f0-9]{40}\.zip), and know how to query GitHub for the latest version.

If this belongs somewhere else like bazelisk, buildifier, or gazelle, then let me know, but it seems like something quite core to bazel.

What's the output of bazel info release?

release 1.2.0

Have you found anything relevant by searching the web?

No. I feel like this must have been discussed somewhere before, but I couldn't find anything.

gibfahn avatar Nov 28 '19 16:11 gibfahn

cc @laurentlb

jin avatar Nov 28 '19 22:11 jin

Please see https://groups.google.com/forum/#!msg/bazel-dev/_9zL47fpO2k/KMJ8i0sHAwAJ

laurentlb avatar Nov 29 '19 16:11 laurentlb

Also see https://github.com/bzl-io/bzl, which has something similar with bzl use.

https://github.com/bzl-io/bzl#-bazel-use

jin avatar Nov 29 '19 19:11 jin

I'm not sure this is a great idea. Instead of maintaining rules for parsing known URLs and guessing new ones it probably makes sense to extract the version info into the macro arguments and perform some actual dependency management.

  • Proper version restrictions (ex ~1.2)
  • Standardized API for listing versions.
  • Pull version out of URL.

This would also move us towards future features such as:

  • Attempting to share common versions with other dependencies.

I think that we should be looking at package managers such as bundler and cargo which seem to have a good working solution to this problem. It seems that Bazel will have the same problems as people import more libraries natively supporting Bazel with the benefit of being cross-language.

I strongly agree that updating dependencies is painful and would be good to solve, however I'm not confident that the proposed solution can extract all of the possible value and will be maintainable down the road.

kevincox avatar May 02 '20 12:05 kevincox

cc @philwo

jin avatar May 02 '20 22:05 jin

Hi there! We're doing a clean up of old issues and will be closing this one. Please reopen if you’d like to discuss anything further. We’ll respond as soon as we have the bandwidth/resources to do so.

sgowroji avatar Feb 14 '23 07:02 sgowroji

@sgowroji, I think this one is still very much worth reopening and tracking--as a feature request that would be very valuable to most users--especially with bzlmod.

[Users can't reopen; only Bazel members can once you close.]

cpsauer avatar Feb 14 '23 08:02 cpsauer

Thanks @sgowroji :)

cpsauer avatar Feb 14 '23 09:02 cpsauer

Hello @gibfahn , I am currently running into the same issue/need as described here, but after some digging found that this seems to be something that is likely tackled (or in process of being tackled) by bzlmod (introduced as experimental in bazel 5.0).

(docs from 5.0.0) https://docs.bazel.build/versions/5.0.0/bzlmod.html

(generic docs on bzlmod) https://bazel.build/external/overview#bzlmod

There is also a migration guide on how to go from WORKSPACE to this new bzlmod way or working https://bazel.build/external/migration

Not sure if that would make this issue obsolete? I have not tried bzlmod yet, but seems like it fixes the whole 'automatic dependency resolution/update' scenario described here.

diedoman avatar Sep 16 '23 10:09 diedoman

I think this remains open because bzlmod doesn't have auto-update functionality!

cpsauer avatar Sep 16 '23 12:09 cpsauer

With the BCR MCP server, this is very easy with coding agents.

meteorcloudy avatar Oct 31 '25 13:10 meteorcloudy

With the BCR MCP server, this is very easy with coding agents.

This is true, but how do you verify that it pulled in the correct versions for everything? I don't think Coding Agents remove the need for good dependency management tooling.

gibfahn avatar Dec 02 '25 11:12 gibfahn