dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard

Published 20 hours ago • verified publisher icon dependabot

Support deno

Open ghost opened this issue 4 years ago • 14 comments

Registry v2 was released 2 days ago. Now deno/x/ requires proper versioning in modules, has an API and simplifies the distribution with their own cdn which should help in adding support for it in dependabot.

See deno-udd for reference on how the community already update their deps.

ghost avatar Aug 05 '20 02:08 ghost

If dependabot were to support Deno, I don't think only deno.land/x should be supported. nest.land, raw.githubusercontent.com, and other popular registries / hosts should be supported.

lucacasonato avatar Aug 07 '20 14:08 lucacasonato

That would be cool!

ramonmedeiros avatar Oct 27 '20 23:10 ramonmedeiros

Currently have a dependency-checking script for deno.land/* dependencies. Looking at ways to get latest version for other hosts. Relies on unstable Deno functionality.

https://github.com/legowerewolf/deno-dependency-checker

Edit. Kinda wish I'd known about deno-udd before this.

legowerewolf avatar May 01 '21 22:05 legowerewolf

recent updates to Deno Language Server might be of help here

and hopefully support will arrive in the following months from esm.sh, Skypack, JSPM, etc. too so that it won't be just deno.land/x, deno.and/std, etc.

https://deno.com/blog/v1.17#updates-to-the-deno-language-server

mfulton26 avatar Dec 17 '21 22:12 mfulton26

Need this.

rojvv avatar Jan 26 '22 14:01 rojvv

bump

KorigamiK avatar Jul 10 '22 11:07 KorigamiK

I think that there are two ways to support deno; import_map.json and mod.ts dependencies... I suppose that dependabot should only support import_map.json as it's a future-proof standard.

Any plans for supporting Deno in the future? Thanks!

DanielRamosAcosta avatar Dec 08 '22 12:12 DanielRamosAcosta

Having looked through lots of projects trying to find a standard for my own, it looks like it's split between import_map.json, deps.ts and a hodgepodge of other dependency trackers or raw imports. I can see how this would be difficult to track and manage. That said, with as much as Deno has established itself in the development community it would be worthwhile to at least try to support either import_map.json or deps.ts (ideally both). I feel that if Dependabot can support Gradle (Java's top freeform dependency manager) that deps.ts should be a breeze, and that import_map.json is only a stone's throw from npm's package-lock.json.

It would be great to get a timeline on this, considering the issue has been open for over two years now.

ndm13 avatar Dec 24 '22 11:12 ndm13

I think we should consider relying on the more standardized deno.lock file (and optionally deno.json that specifies lockfile location), which if present will not only encode package versions but also their hashes, so Dependabot could even detect if the hash changed without changing the version.

dinvlad avatar Feb 01 '23 05:02 dinvlad

Any update(s) on this?

fyrfnn avatar Dec 26 '23 07:12 fyrfnn

Seems like new ecosystems are now welcomed from maintainers in https://github.com/dependabot/dependabot-core/commit/0f931f452e9e51a3996a010ca21c90115b7f80cf

zimeg avatar Feb 11 '24 23:02 zimeg

Supporting import_map.json (and deno.json because it's a superset) isn't only Deno-specific. It would also help frontend apps that don't need a build step and only use vanilla HTML/CSS/JS. The only problem is the large number of various JS CDNs that would need to be supported.

Another feature that would be useful for Deno in particular is support for jsr: https://jsr.io/docs/using-packages

phaux avatar Jul 01 '24 14:07 phaux

Given that other ecosystems directly shell out to the pm (as opposed to Renovate, which does it from scratch), I'd just shell out to molt, and let it handle it. It's worked great for my use cases, it's just not automated. On the other hand, it does have it's own competition (molt-action, though I haven't tried it), so maybe not worth it?

lishaduck avatar Aug 20 '24 00:08 lishaduck