function-templates icon indicating copy to clipboard operation
function-templates copied to clipboard

Published 20 hours ago verified publisher icon twilio-labs

Keeping template dependencies safe

Open dkundel opened this issue 4 years ago • 1 comments

I think we should invest in some automation that keeps the dependencies safe.

Right now we can use Dependabot to keep top level dependencies up-to-date but not the nested ones for the templates themselves. My suggestion is the following:

  1. Add every dependency that exists in any template as a devDependency for the root package.json
  2. Create the same automation that we use in github.com/twilio-labs/sample-template-nodejs that will run tests on PRs and if they pass and the PR came from Dependabot it will automatically be merged
  3. Create a script that can read the root package.json and update all the nested package.json accordingly
  4. Create a GitHub action that is triggered on push to master that will run the script from (3) and commit any needed changes

Possible concerns/issues:

  • What happens when Dependabot does package-lock.json updates? Should we be concerned or only rely on semver. Most of those are nested deps anyways meaning we don't have control over them

dkundel avatar Mar 24 '20 20:03 dkundel

@philnash would love your opinion

dkundel avatar Mar 24 '20 20:03 dkundel