nim-lang
[Feature Request] Dependabot Support for Nim Package Ecosystem
Abstract
The Nim package ecosystem should be added to Dependabot version updates. Is this already planned / in development?
Motivation
Since Nim projects can have Nim libraries as their dependencies, their versions need to be kept up-to-date. Dependabot helps to do so. All Nim developers using GitHub would benefit.
Description
Dependabot is a bot for GitHub to automatically check for version updates to dependencies, written in Ruby. It is maintained here: https://github.com/dependabot/dependabot-core. Dependabot already supports numerous package ecosystems; unfortunately, Nim does not belong to this set. I would like to ask for adding it.
Code Examples
When implemented, Dependabot might check for Nim dependencies with a configuration similar to the following.
version: 2
updates:
- package-ecosystem: nimble
directory: /
schedule:
interval: daily
time: '00:00'
Backwards Compatibility
There should not be problems with backwards compatibility.
Can you describe how much (and what kind of) effort would be required for this?
As a first step, I would like to suggest to contact the Dependabot maintainers. I do not know about the plans of the Dependabot project which package registries are going to be added by the next releases; perhaps they are already working on a Nim integration. This should be the starting point and could happen in the easiest case by a simple GitHub issue.
The implementation definitely requires Ruby coding skills and knowledge about the code base of the Dependabot repository. These requirements are obviously satisfied by the Dependabot maintainers. I thus guess the implementation would be processed in cooperation with the Dependabot maintainers. It is possible that they are going to implement Nim support themselves. Members of the Nim project with Ruby experiences could help in order to shorten the development time.
The Nim project will need to communicate the relevant technical details for an integration. It might be required to contribute certain interfaces, written in Nim, to the development process. Some ecosystems require those, maybe also Nim. This would be responsibility of the Nim package registry team as they know best about these mechanisms and how to interface them.
This issue should probably go into https://github.com/nim-lang/nimble/issues
An alternative to Dependabot would be Renovate: https://github.com/renovatebot/renovate. It is written in TypeScript and comparable to Dependabot regarding their purposes -- suggesting updates for upcoming releases of dependencies. In fact, any solution assisting in keeping all dependencies up-to-date would support the development of Nim software. Although Renovate itself is not shipped with GitHub just as Dependabot, it is available as a free hosted solution for all GitHub users (GitHub App), as well, and furthermore available on other platforms, such as Azure and GitLab.
The maintainers of Renovate provide a form for requesting a new package registry: https://github.com/renovatebot/renovate/blob/main/docs/development/new-package-manager-template.md. When requesting support for a further ecosystem, it is required to answer all questions of this form such that the further steps can be planned and the necessary effort can be estimated.
What is the recent on this issue; would it be possible to also take Renovate into account?
If a certain Nim dependency should be released not only by pushing the respective update to the registry but also by creating a corresponding GitHub release, Renovate is already able to fetch that update as it can be configured to watch GitHub repositories for new releases and to update the manifest using regular expressions. However, this would imply the necessity for all Nim developers to create a GitHub release for each new version which might cause problems for some development workflows. Thus, the regex approach with Renovate cannot replace a full registry support.