openapicmd icon indicating copy to clipboard operation
openapicmd copied to clipboard

Published 20 hours ago verified publisher icon openapistack

Add renovate and bolt for auto-package updates, and CVE's

Open davidzwa opened this issue 1 year ago • 5 comments

Fixes #33 Might fix #34

  • Add Mend Renovate as a bot (here)
    • Setting: pull-request requirement should be enabled (optional)
    • Required actions to complete CI (optional)
    • Pin the npm package versions (required, this is how Renovate works best: it will take over specific versions automatically)
  • Add Mend Bolt (https://github.com/marketplace/whitesource-bolt) as a bot
    • Add Mend for CVE detected (if not wanted, let me know. I can revert this)
    • Mend was previously known as Whitesource

What will happen?

  • A lot of PRs will open up at first. This is normal for a first start.
  • At a daily schedule package-lock PRs will be created to update lock file dependencies 🥳
  • A Renovate dashboard issue will appear tracking all open PRs
  • CVE's will be made (and closed automatically when resolved on main to keep users informed about their status)

In case of questions about Renovate and/or Bolt. Please ask away!

davidzwa avatar Oct 23 '23 18:10 davidzwa

Hi @davidzwa thanks for the PR!

Renovate looks like an interesting alternative to Dependabot, which doesn’t seem to do its job on this repo for whatever reason.

Can you explain why renovate works best with pinned dependency versions?

This change is currently causing a conflict that’s preventing the merge.

As a library author pinned versions are generally a no no since we actually want library consumers to use the latest, safe versions of all library deps.

I think this change would mean that users of openapicmd have to now manually override dependency versions using overrides or resolutions in their package.lock, or wait for a new openapicmd release to get updated deps (e.g. for openapi-client-axios-typegen).

Otherwise LGTM.

anttiviljami avatar Nov 11 '23 20:11 anttiviljami

Hi @davidzwa thanks for the PR!

Renovate looks like an interesting alternative to Dependabot, which doesn’t seem to do its job on this repo for whatever reason.

Can you explain why renovate works best with pinned dependency versions?

Good question! I just looked it up to be sure. They actually do not require it like I initially thought 👍🏼 https://docs.renovatebot.com/dependency-pinning/#so-whats-best

So my follow-up question is: shall we pin the devDependencies? Those are not required for external use.

This change is currently causing a conflict that’s preventing the merge.

As a library author pinned versions are generally a no no since we actually want library consumers to use the latest, safe versions of all library deps.

I agree.

I think this change would mean that users of openapicmd have to now manually override dependency versions using overrides or resolutions in their package.lock, or wait for a new openapicmd release to get updated deps (e.g. for openapi-client-axios-typegen).

Yeah not a workable solution. See answer above

Otherwise LGTM.

Will fix the conflict now

davidzwa avatar Nov 12 '23 07:11 davidzwa

I've completely removed and re-locked with NPM. There is quite a lot of wiggle room, which also could lead to bugs later as users might have a different set of packages installed.

@anttiviljami we should discuss the non-pinning range strategy next. Could you take a look at these 3 sections:

  • dependencies setting: https://docs.renovatebot.com/presets-default/#pindependencies
  • devDependencies setting: https://docs.renovatebot.com/presets-default/#pindevdependencies
  • rangestrategy options: https://docs.renovatebot.com/configuration-options/#rangestrategy

Viable options in my opinion are: bump, replace, widen, update-lockfile and in-range-only. I suggest to set dependencies to update-lockfile as it a balanced option (not too conservative but wont also be stuck in the range). I suggest to set devDependencies to pin or auto.

davidzwa avatar Nov 12 '23 08:11 davidzwa

@anttiviljami interested in your review.

davidzwa avatar Nov 26 '23 09:11 davidzwa

Segfault during tests 🤔

Any idea @davidzwa ?

anttiviljami avatar Nov 26 '23 11:11 anttiviljami

Renovate doesn't need pinned versions in your package.json I work with renovate without pinnen versions. The lock file is the place to pin a version.

If you pin dependencies in your package, know that users are forced to use that pinnen version. If there is a bugfix in a dependency, you have to update your dependency also. So if you pin, you have to release more often to keep it up-to-date. I personally don't like packages that pin versions, because I have to wait till that package will release a new version with the updated dependency.

So be careful to pin dependencies. It is not needed for renevate. Check what is the best for the users of your package.

w3nl avatar Sep 23 '24 09:09 w3nl