Automating Dependency Management with Renovate
August 5, 2021

Automating Dependency Management with Renovate

Step into the future and recruit a dependency management bot for your organisation. Renovate keeps your package versions up and your technical debt down.

Contents

What is Renovate?

Renovate is an Open-Source software tool that automates dependency management. This includes running the following tasks:

  • Periodically scanning package registries (e.g. npmJS) for new package versions.
  • Detecting whether your repositories can have any of their dependencies upgraded.
  • Creating detailed pull requests against your repositories to apply the upgrades.

This image below shows an example of a pull request that was opened by Renovate. My project is currently using eslint v7.29.0, but an update to v7.30.0 is now available.

Renovate example pull request screenshot
https://github.com/lachiejames/code-review-leaderboard/pull/35

To apply this upgrade:

  • (Optional) Check the Release Notes to view the changes that are being introduced.
  • Assert that your CI/CD pipeline build was successful. If not, check the Release Notes for the required remediations.
  • Merge the pull request.

In this pull request, we can see that the changes in eslint v7.30.0 are mainly updates to the documentation.

Renovate example pull request release notes screenshot

Why should I use Renovate?

At a glance, Renovate provides the following benefits:

  • Saves many hours of development time, hence saving money.
  • Ensures that you have the latest features available from your dependencies, including bug fixes.
  • Reduces the technical debt associated with outdated dependencies.
  • Keeps your application secure by ensuring that you have all of the latest security patches.

Keeping all dependencies up to date across all of your projects is hard, and infeasible when your organisation has many projects. Ignoring these updates will increase technical debt, and potentially expose your applications to security vulnerabilities.

This is the process for keeping dependencies up to date without Renovate:

  1. Compiling a list of the dependencies used across all projects within your organisation.
  2. Determining the latest version of each dependency.
  3. Checking if any of your projects have dependencies that are behind the latest versions.
  4. Opening a branch and committing the required changes.
  5. Ensuring that these updates pass all required checks. If not, apply remediations.
  6. Opening pull requests.
  7. Merging pull requests.

This is the process for keeping dependencies up to date with Renovate:

  1. Checking your emails to see if Renovate has created any new pull requests.
  2. Ensuring that the updates in these pull requests pass all required checks. If not, apply remediations.
  3. Merging pull requests.

How do I use Renovate?

The process is slightly different depending on which platform you are using. You can see the list of platforms that Renovate supports here.

For GitHub, the setup is incredibly simple and only takes a few minutes. Get started by navigating to the Renovate GitHub app.

Renovate GitHub app page screenshot

Clicking the big green Install button will take you to the permissions page. From here, you can choose which repositories you would like to enable Renovate for. Leave the default settings if you would like Renovate to manage all of your repositories.

Renovate permissions screenshot

After installing the GitHub app, you will be redirected to the Whitesource website to complete your activation. Click Activate Now and then Sign in with GitHub.

WhiteSource activation screenshot

Once your activation is completed, will be able to view the Renovate Dashboard. There isn’t much to do here, but you can view Renovate’s activity across each of your repositories.

Renovate console screenshot

For each repository that has had Renovate enabled, you should find that an onboarding pull request has been opened up.

Renovate onboarding pull request screenshot

Once this pull request is merged for a given repository, the following things will happen:

  • A renovate.json file will be added to the root of your project. This allows you to configure Renovate to suit your organization’s needs.
  • Your project’s current dependencies will be scanned for potential upgrades.
  • If any dependencies have upgrades available, pull requests will be opened immediately to apply the upgrades.

Which Frameworks can use Renovate?

Renovate supports many popular languages and frameworks. You can view the most up to date list by navigating to the Renovate docs and expanding the Language Support menu.

At the time of writing this, Renovate currently supports all major dependency frameworks for JavaScript, Java, PHP, Python, Ruby, and more.

Lachie
0

Leave a Reply

Your email address will not be published. Required fields are marked *